CVE-2018-1002101
published 2018-12-05CVE-2018-1002101: In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which…
PriorityP353critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
4.11%
89.5th percentile
In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | — | — |
| k8s.io | kubernetes | >= 1.10.0 < 1.10.6 | 1.10.6 |
| k8s.io | kubernetes | >= 1.11.0 < 1.11.2 | 1.11.2 |
| k8s.io | kubernetes | >= 1.9.0 < 1.9.10 | 1.9.10 |
| kubernetes | kubernetes | 1.10.0 – 1.10.5 | — |
| kubernetes | kubernetes | 1.11.0 – 1.11.1 | — |
| kubernetes | kubernetes | 1.9.0 – 1.9.9 | — |
| kubernetes | kubernetes | >= unspecified < v1.9.10 | v1.9.10 |
| kubernetes | kubernetes | >= unspecified < v1.10.6 | v1.10.6 |
| kubernetes | kubernetes | >= unspecified < v1.11.2 | v1.11.2 |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian5.9LOW
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Kubernetes Arbitrary Command Injection in k8s.io/kubernetes
osv·2024-08-21
CVE-2018-1002101 Kubernetes Arbitrary Command Injection in k8s.io/kubernetes
Kubernetes Arbitrary Command Injection in k8s.io/kubernetes
Kubernetes Arbitrary Command Injection in k8s.io/kubernetes
OSV
Kubernetes Arbitrary Command Injection
osv·2022-02-15
CVE-2018-1002101 [MEDIUM] Kubernetes Arbitrary Command Injection
Kubernetes Arbitrary Command Injection
In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection.
### Specific Go Packages Affected
k8s.io/kubernetes/pkg/util/mount
GHSA
Kubernetes Arbitrary Command Injection
ghsa·2022-02-15
CVE-2018-1002101 [MEDIUM] CWE-78 Kubernetes Arbitrary Command Injection
Kubernetes Arbitrary Command Injection
In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection.
### Specific Go Packages Affected
k8s.io/kubernetes/pkg/util/mount
Red Hat
kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection
vendor_redhat·2018-12-17·CVSS 5.9
CVE-2018-1002101 [MEDIUM] CWE-78 kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection
kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection
In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection.
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.10) - Will not fix
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.11) - Will not fix
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.2) - Not affected
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.3) - Not affected
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.4) - Out of support scope
Package: atomic-openshift (Red Hat OpenShi
Debian
CVE-2018-1002101: kubernetes - In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input...
vendor_debian·2018·CVSS 5.9
CVE-2018-1002101 [MEDIUM] CVE-2018-1002101: kubernetes - In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input...
In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-1002101 kubernetes:openshift-3.10/origin: kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection [fedora-29]
bugzilla·2018-12-17·CVSS 5.9
CVE-2018-1002101 [MEDIUM] CVE-2018-1002101 kubernetes:openshift-3.10/origin: kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection [fedora-29]
CVE-2018-1002101 kubernetes:openshift-3.10/origin: kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection [fedora-29]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-29.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the
Bugzilla
CVE-2018-1002101 kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection
bugzilla·2018-12-17·CVSS 5.9
CVE-2018-1002101 [MEDIUM] CVE-2018-1002101 kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection
CVE-2018-1002101 kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection
In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection.
Upstream Issue:
https://github.com/kubernetes/kubernetes/issues/65750
Upstream Patches:
https://github.com/kubernetes/kubernetes/commit/d65039c56ce (v1.12.0)
https://github.com/kubernetes/kubernetes/commit/914e404d3fc (v1.11.2)
https://github.com/kubernetes/kubernetes/commit/46981ede3a6 (v1.10.6)
https://github.com/kubernetes/kubernetes/commit/b2fb73ffead (v1.9.10)
Discussion:
Created kubernetes tracking bugs for this issue:
Affects: fedora-all [bu
Bugzilla
CVE-2018-1002101 kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection [fedora-all]
bugzilla·2018-12-17·CVSS 5.9
CVE-2018-1002101 [MEDIUM] CVE-2018-1002101 kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection [fedora-all]
CVE-2018-1002101 kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg co
Bugzilla
CVE-2018-1002101 kubernetes:1.1/kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection [fedora-29]
bugzilla·2018-12-17·CVSS 5.9
CVE-2018-1002101 [MEDIUM] CVE-2018-1002101 kubernetes:1.1/kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection [fedora-29]
CVE-2018-1002101 kubernetes:1.1/kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection [fedora-29]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-29.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and
Bugzilla
CVE-2018-1002101 origin: kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection [fedora-all]
bugzilla·2018-12-17·CVSS 5.9
CVE-2018-1002101 [MEDIUM] CVE-2018-1002101 origin: kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection [fedora-all]
CVE-2018-1002101 origin: kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
f
Bugzilla
CVE-2017-1002101 kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath
bugzilla·2017-12-12·CVSS 8.8
CVE-2017-1002101 [HIGH] CVE-2017-1002101 kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath
CVE-2017-1002101 kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath
It was found that volume security can be sidestepped with innocent emptyDir and subpath. A pod could give full control over node host by gaining access to docker socket.
Discussion:
Created kubernetes tracking bugs for this issue:
Affects: fedora-all [bug 1554420]
---
This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.3
Red Hat OpenShift Container Platform 3.4
Red Hat OpenShift Container Platform 3.5
Red Hat OpenShift Container Platform 3.6
Red Hat OpenShift Container Platform 3.7
Via RHSA-2018:0475 https://access.redhat.com/errata/RHSA-2018:0475
---
This flaw allows a pod to mount any part of the host filesystem. The pod will run with th
2018-12-05
Published