CVE-2019-11251

Name of the Vulnerable Software and Affected Versions Kubernetes versions 1.1 through 1.12 Kubernetes versions prior to 1.13.11 Kubernetes versions prior to 1.14.7 Kubernetes versions prior to 1.15.4

Description The issue is related to the Kubernetes kubectl cp command, which allows an attacker to place a malicious file outside of the destination directory using a combination of symlinks provided by tar output of a malicious container. This could enable an attacker to upload a nefarious file using a symlink, outside of the destination tree. The vulnerability is associated with incorrect link resolution before accessing a file, which may allow a remote attacker to upload a malicious file.

Recommendations For versions 1.1 through 1.12, update to a version prior to 1.13.11, 1.14.7, or 1.15.4 to resolve the issue. For versions prior to 1.13.11, update to version 1.13.11 or later. For versions prior to 1.14.7, update to version 1.14.7 or later. For versions prior to 1.15.4, update to version 1.15.4 or later. As a temporary workaround, consider restricting the use of the kubectl cp command until a patch is available.