Vulnerability Details : CVE-2018-1002100
In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.
Vulnerability category: Input validation
Products affected by CVE-2018-1002100
- cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-1002100
0.58%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 66 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1002100
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.6
|
LOW | AV:L/AC:L/Au:N/C:N/I:P/A:P |
3.9
|
4.9
|
NIST | |
4.2
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N |
0.5
|
3.6
|
Kubernetes | |
5.5
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2018-1002100
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1002100
-
https://bugzilla.redhat.com/show_bug.cgi?id=1564305
1564305 – (CVE-2018-1002100) CVE-2018-1002100 kubernetes: Kubectl copy doesn't check for paths outside of it's destination directoryIssue Tracking;Third Party Advisory
-
https://hansmi.ch/articles/2018-04-openshift-s2i-security
OpenShift S2I privilege escalation vulnerabilityThird Party Advisory
-
https://github.com/kubernetes/kubernetes/issues/61297
CVE-2018-1002100: Kubectl copy doesn't check for paths outside of it's destination directory. · Issue #61297 · kubernetes/kubernetes · GitHubThird Party Advisory
Jump to