CVE-2018-1002100
Published: 02 June 2018
In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.
Priority
Medium
CVSS 3 base score: 5.5
Status
| Package | Release | Status |
|---|---|---|
|
kubernetes Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 20.10 (Groovy Gorilla) |
Needs triage
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Needs triage
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
Notes
| Author | Note |
|---|---|
| leosilva | kubernates is in fact a kubernetes installer that calls snap, not the package it self. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002100
- https://github.com/kubernetes/kubernetes/issues/61297
- https://github.com/kubernetes/kubernetes/commit/f180c969ccd47b9d00dbaf5cbd5b37eb8b49ae08 (1.9.x)
- NVD
- Launchpad
- Debian