CVE-2019-11251

Description

The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.

CVSS Metrics

• v3.1•MEDIUM•Score: 4.8CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
• v3.1•MEDIUM•Score: 5.7CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
• v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 2.65%• Percentile: 86%

Techniques & Countermeasures

• CWE-59•Improper Link Resolution Before File Access ('Link Following')

  The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

• CWE-61•UNIX Symbolic Link (Symlink) Following

  The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

Affected Systems

• k8s.io•kubernetes

  ≥ 1.13.10, < 1.13.11 | ≥ 1.14.6, < 1.14.7 | ≥ 1.15.3, < 1.16.0

• kubernetes•kubernetes

  ≥ 1.13.0, < 1.13.11 | ≥ 1.14.0, < 1.14.7 | ≥ 1.15.0, < 1.15.4 | 1.1-1.12 | prior to 1.13.11 | prior to 1.14.7 | prior to 1.15.4 | 1.1 | 1.2 | 1.3 | 1.4 | 1.5 | 1.6 | 1.7 | 1.8 | 1.9 | 1.10 | 1.11 | 1.12

References (5)

• https://github.com/kubernetes/kubernetes/issues/87773
• https://groups.google.com/d/msg/kubernetes-announce/YYtEFdFimZ4/nZnOezZuBgAJ
• https://nvd.nist.gov/vuln/detail/CVE-2019-11251
• https://github.com/kubernetes/kubernetes/pull/82143
• https://github.com/advisories/GHSA-6qfg-8799-r575