Vulnerability Description
In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kubernetes | Kubernetes | >= 1.5.0, <= 1.5.9 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1564305Issue TrackingThird Party Advisory
- https://github.com/kubernetes/kubernetes/issues/61297Third Party Advisory
- https://hansmi.ch/articles/2018-04-openshift-s2i-securityThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1564305Issue TrackingThird Party Advisory
- https://github.com/kubernetes/kubernetes/issues/61297Third Party Advisory
- https://hansmi.ch/articles/2018-04-openshift-s2i-securityThird Party Advisory
FAQ
What is CVE-2018-1002100?
CVE-2018-1002100 is a vulnerability with a CVSS score of 4.2 (MEDIUM). In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary ...
How severe is CVE-2018-1002100?
CVE-2018-1002100 has been rated MEDIUM with a CVSS base score of 4.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1002100?
Check the references section above for vendor advisories and patch information. Affected products include: Kubernetes Kubernetes.