ASA-2019-00493 – Kubernetes: Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal


Allele Security Alert

ASA-2019-00493

Identifier(s)

ASA-2019-00493, CVE-2019-11249

Title

Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal

Vendor(s)

Cloud Native Computing Foundation

Product(s)

Kubernetes

Affected version(s)

Kubernetes versions before v1.13.9
Kubernetes versions before v1.14.5
Kubernetes versions before v1.15.2

Fixed version(s)

Kubernetes version v1.13.9
Kubernetes version v1.14.5
Kubernetes version v1.15.2

Proof of concept

Unknown

Description

This vulnerability allows a malicious container to cause a file to be created or replaced on the client computer when the client uses the kubectl cp operation. The vulnerability is a client-side defect and requires user interaction to be exploited.

Technical details

Unknown

Credits

Yang Yang (Amazon)

Reference(s)

Kubernetes v1.13.9, v1.14.5, v1.15.2 released to address CVE-2019-11247, CVE-2019-11249
https://www.openwall.com/lists/oss-security/2019/08/05/5

v1.13.9, v1.14.5, v1.15.2 released to address CVE-2019-11247, CVE-2019-11249
https://groups.google.com/forum/#!topic/kubernetes-security-announce/vUtEcSEY6SM

CVE-2019-11249: Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal #80984
https://github.com/kubernetes/kubernetes/issues/80984

CHANGELOG-1.13.md
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.13.md

CHANGELOG-1.14.md
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.14.md

CHANGELOG-1.15.md
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.15.md

ASA-2019-00391 – Kubernetes: Incomplete fixes for CVE-2019-1002101, kubectl cp potential directory traversal
https://allelesecurity.com/asa-2019-00391/

CVE-2019-11249
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11249

CVE-2019-11249
https://nvd.nist.gov/vuln/detail/CVE-2019-11249

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.

One thought on “ASA-2019-00493 – Kubernetes: Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal

Comments are closed.