CVE-2019-11251
kubectl cp allows symlink directory traversal
In short
The kubectl cp command in Kubernetes can be tricked by a malicious container to write files outside the intended destination folder using symlinks. An attacker could exploit this to place harmful files in unexpected locations on your system.
Technical detail
The kubectl cp command fails to properly validate symlinks in tar archives from container output, allowing directory traversal via chained symlinks. An attacker controlling a container can craft tar output with symlinks that bypass destination directory restrictions, enabling arbitrary file placement on the host running kubectl.
Summary generated and translated by AI from the official description.
The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
Affected products
Kubernetes · KubernetesWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →