Kubernetes arbitrary file overwrite

GHSA-2jq6-ffph-p4h8 · CVE-2018-1002100 · GO-2023-1959

Published May 13, 2022 · Modified Feb 3, 2026

Description

In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2018-1002100
WEB https://github.com/kubernetes/kubernetes/issues/61297
WEB https://bugzilla.redhat.com/show_bug.cgi?id=1564305
PACKAGE https://github.com/kubernetes/kubernetes
WEB https://hansmi.ch/articles/2018-04-openshift-s2i-security

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes