Main Vulnerability Database Vulnerabilities #VU22431

UNIX symbolic link following in Kubernetes - CVE-2019-11251

Published: October 31, 2019

Vulnerability identifier: #VU22431

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-11251

CWE-ID: CWE-61

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Kubernetes

Affected software:
Kubernetes

Detailed vulnerability description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a symlink following issue in kubectl cp. A local user can create two symbolic links and overwrite files on the system with privileges of the application.

Successful exploitation of this vulnerability may result in privilege escalation.

How to mitigate CVE-2019-11251

Install updates from vendor's website.

Sources

https://github.com/kubernetes/kubernetes/pull/82143
https://github.com/kubernetes/kubernetes/pull/82384
https://github.com/kubernetes/kubernetes/pull/82502
https://github.com/kubernetes/kubernetes/pull/82503

UNIX symbolic link following in Kubernetes - CVE-2019-11251

Detailed vulnerability description

How to mitigate CVE-2019-11251

Sources

Please verify you're human