CVE-2019-11249

Advisory lineage Upstream: 0 Downstream: 5

Downstream

RHBA-2019:2794 RHBA-2019:2816 RHSA-2019:3239 RHSA-2019:3811 UBUNTU-CVE-2019-11249

Modified

Published: 29 Aug 2019, 00:26

Last modified:16 Sept 2024, 18:19

Vulnerability Summary

Overall Risk (default)

medium

27/100

CVSS Score

6.5 MEDIUM

v3.1 (nvd)

EPSS Score

2.85% LOW

3% probability -0.67%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

29 Aug 2019, 00:26

Published

Vulnerability first disclosed

16 Sept 2024, 18:19

Last Modified

Vulnerability information updated

Description

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.

CVSS Metrics

v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
v3.0•MEDIUM•Score: 4.8CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
v2.0•MEDIUM•Score: 5.8AV:N/AC:M/Au:N/C:N/I:P/A:P

EPSS Trends

Current EPSS score: 2.85%• Percentile: 86%

Techniques & Countermeasures

CWE-22•Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-61•UNIX Symbolic Link (Symlink) Following
The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

Affected Systems

kubernetes•kubernetes
≥ 1.0.0, ≤ 1.12.10 | ≥ 1.13.0, < 1.13.9 | ≥ 1.14.0, < 1.14.5 | ≥ 1.15.0, < 1.15.2 | 1.12.11:beta0 | prior to 1.13.9 | prior to 1.14.5 | prior to 1.15.2 | 1.1 | 1.2 | 1.4 | 1.5 | 1.6 | 1.7 | 1.8 | 1.9 | 1.10 | 1.11 | 1.12
redhat•openshift_container_platform
3.9 | 3.10 | 3.11 | 4.1