CVE-2018-1002103

Name of the Vulnerable Software and Affected Versions minikube versions 0.3.0 through 0.29.0

Description The issue is related to privilege management errors in the minikube command-line utility. It allows a remote attacker to execute arbitrary code. In certain VM environments where the IP is easy to predict, an attacker can use DNS rebinding to make indirect requests to the Kubernetes Dashboard, creating a new Kubernetes Deployment that runs arbitrary code. If minikube mount is in use, the attacker could also directly access the host filesystem.

Recommendations For minikube versions 0.3.0 through 0.29.0, consider disabling the Kubernetes Dashboard or restricting access to it until a patch is available. As a temporary workaround, avoid using minikube mount to prevent direct access to the host filesystem. Restrict access to the VM IP at port 30000 to minimize the risk of DNS rebinding attacks.