Information disclosure in Kubernetes - CVE-2017-1002100
Published: September 14, 2017 / Updated: August 8, 2020
Vulnerability identifier: #VU38289
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-1002100
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Kubernetes
Affected software:
Kubernetes
Kubernetes
Detailed vulnerability description
The vulnerability allows a remote authenticated user to gain access to sensitive information.
Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to "container" which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal.
How to mitigate CVE-2017-1002100
Install update from vendor's website.