CVE-2018-1002100 — Improper Input Validation in Kubernetes

CWE-20 — Improper Input Validation10 documents7 sources

Severity

5.5MEDIUMNVD

CNA4.2

EPSS

0.5%

top 33.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubernetes K8s.io Kubernetes

Timeline

PublishedJun 2

Latest updateAug 20

Description

In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶Gok8s.io/kubernetes1.5.0-alpha.0 — 1.9.6+1

▶CVEListV5kubernetes/kubernetesunspecified — v1.9.6+4

▶Debiankubernetes/kubernetes< 1.17.4-1+3

▶NVDkubernetes/kubernetes1.5.0 — 1.5.9+4

🔴Vulnerability Details

OSV

Kubernetes arbitrary file overwrite in k8s.io/kubernetes↗2024-08-20

▶

OSV

Kubernetes arbitrary file overwrite↗2022-05-13

▶

GHSA

Kubernetes arbitrary file overwrite↗2022-05-13

▶

OSV

CVE-2018-1002100: In Kubernetes versions 1↗2018-06-02

▶

CVEList

CVE-2018-1002100: In Kubernetes versions 1↗2018-06-01

▶

📋Vendor Advisories

Red Hat

kubernetes: Kubectl copy doesn't check for paths outside of it's destination directory↗2018-03-17

▶

Debian

CVE-2018-1002100: kubernetes - In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, t...↗2018

▶

💬Community

Bugzilla

CVE-2018-1002100 kubernetes: Kubectl copy doesn't check for paths outside of it's destination directory↗2018-04-06

▶

Bugzilla

CVE-2018-1002100 kubernetes: Kubectl copy doesn't check for paths outside of it's destination directory [fedora-all]↗2018-04-06

▶