CVE-2017-1002102 — Link Following in Kubernetes

CWE-59 — Link Following CWE-284 — Improper Access Control12 documents8 sources

Severity

5.6MEDIUMNVD

CNA7.1

EPSS

0.5%

top 34.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubernetes K8s.io Kubernetes

Timeline

PublishedMar 13

Latest updateAug 20

Description

In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running.

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:NExploitability: 1.1 | Impact: 4.0

Affected Packages4 packages

▶Gok8s.io/kubernetes1.3.0 — 1.7.14+2

▶CVEListV5kubernetes/kubernetesunspecified — v1.7.14+6

▶NVDkubernetes/kubernetes1.7.0 — 1.7.14+6

▶Debiankubernetes/kubernetes< 1.7.16+dfsg-1+3

🔴Vulnerability Details

OSV

Kubernetes can trigger deletion of arbitrary files from the nodes where containers are running in k8s.io/kubernetes↗2024-08-20

▶

OSV

Kubernetes arbitrary file overwrite↗2022-05-13

▶

GHSA

Kubernetes arbitrary file overwrite↗2022-05-13

▶

Kernel

Merge branch 'work.openat2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs↗2020-01-29

▶

OSV

CVE-2017-1002102: In Kubernetes versions 1↗2018-03-13

▶

📋Vendor Advisories

Red Hat

kubernetes: Malicious containers can delete any file from the node↗2018-03-06

▶

Debian

CVE-2017-1002102: kubernetes - In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, ...↗2017

▶

💬Community

Bugzilla

CVE-2017-1002102 origin: kubernetes: Malicious containers can delete any file from the node [fedora-all]↗2018-03-13

▶

Bugzilla

CVE-2017-1002102 kubernetes: Malicious containers can delete any file from the node [fedora-all]↗2018-03-12

▶

Bugzilla

CVE-2017-1002102 kubernetes: Malicious containers can delete any file from the node↗2018-03-06

▶