CVE-2019-11246

kubectl cp allows symlink directory traversal

CVSS 6.4 MEDIUMEPSS 3.6%CWE-61

In short

The kubectl cp command can be exploited if a container has a malicious tar binary, allowing an attacker to write files anywhere on the user's machine when copying files from that container. This happens because kubectl unpacks the tar archive without proper validation of its contents.

Technical detail

kubectl cp executes tar inside the container and unpacks the resulting archive on the local machine without validating symlinks or path traversal attempts. An attacker controlling the container's tar binary can output malicious tar streams with directory traversal sequences (CWE-61), writing files to arbitrary locations on the host machine within the local user's permission scope.

Summary generated and translated by AI from the official description.

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. Kubernetes affected versions include versions prior to 1.12.9, versions prior to 1.13.6, versions prior to 1.14.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11.

CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Affected products

Kubernetes · Kubernetes

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/kubernetes/kubernetes/pull/76788 https://groups.google.com/forum/#%21topic/kubernetes-security-announce/NLs2TGbfPdo https://security.netapp.com/advisory/ntap-20190919-0003/