Main Vulnerability Database Vulnerabilities #VU22431

#VU22431 UNIX symbolic link following in Kubernetes - CVE-2019-11251

Published: October 31, 2019

Vulnerability identifier: #VU22431

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-11251

CWE-ID: CWE-61

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Kubernetes

Software vendor:
Kubernetes

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a symlink following issue in kubectl cp. A local user can create two symbolic links and overwrite files on the system with privileges of the application.

Successful exploitation of this vulnerability may result in privilege escalation.

Remediation

Install updates from vendor's website.

External links

https://github.com/kubernetes/kubernetes/pull/82143
https://github.com/kubernetes/kubernetes/pull/82384
https://github.com/kubernetes/kubernetes/pull/82502
https://github.com/kubernetes/kubernetes/pull/82503

#VU22431 UNIX symbolic link following in Kubernetes - CVE-2019-11251

Description

Remediation

External links

Please verify you're human