The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Kubernetes | Kubernetes | 1.13.0 (including) | 1.13.11 (excluding) |
| Kubernetes | Kubernetes | 1.14.0 (including) | 1.14.7 (excluding) |
| Kubernetes | Kubernetes | 1.15.0 (including) | 1.15.4 (excluding) |
| Kubernetes | Kubernetes | 1.1-1.12 (including) | 1.1-1.12 (including) |
| Red Hat OpenShift Container Platform 3.11 | RedHat | atomic-openshift-0:3.11.154-1.git.0.7a097ad.el7 | * |
| Red Hat OpenShift Container Platform 3.9 | RedHat | atomic-openshift-0:3.9.102-1.git.0.6411f52.el7 | * |
| Red Hat OpenShift Container Platform 4.1 | RedHat | openshift-0:4.1.21-201910220952.git.0.493dbf6.el7 | * |
| Red Hat OpenShift Container Platform 4.1 | RedHat | openshift4/ose-cli:v4.1.21-201910230924 | * |
| Kubernetes | Ubuntu | disco | * |
| Kubernetes | Ubuntu | eoan | * |
| Kubernetes | Ubuntu | groovy | * |
| Kubernetes | Ubuntu | hirsute | * |
| Kubernetes | Ubuntu | impish | * |
| Kubernetes | Ubuntu | kinetic | * |
| Kubernetes | Ubuntu | lunar | * |
| Kubernetes | Ubuntu | mantic | * |