Bug 1151300 – VUL-0: CVE-2019-11251: kubernetes: `kubectl cp` allows for arbitrary file write via double symlinks

Bug 1151300 - (CVE-2019-11251) VUL-0: CVE-2019-11251: kubernetes: `kubectl cp` allows for arbitrary file write via double symlinks

(CVE-2019-11251)
Summary:	VUL-0: CVE-2019-11251: kubernetes: `kubectl cp` allows for arbitrary file wri...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/242943/
Whiteboard:	CVSSv3:SUSE:CVE-2019-11251:5.3:(AV:N/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-09-19 10:03 UTC by Alexandros Toptsoglou
Modified:	2022-04-14 12:51 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2019-09-19 10:03:59 UTC

CVE-2019-11251

A vulnerability has been discovered in `kubectl cp` that allows a
combination of two  symlinks to copy a file outside of its destination
directory. This could be used to allow an attacker to place a netfarious
file using a symlink, outside of the destination tree.

Reference:
https://github.com/kubernetes/kubernetes/pull/82143
https://github.com/kubernetes/kubernetes/pull/82143
https://github.com/kubernetes/kubernetes/pull/82384
https://github.com/kubernetes/kubernetes/pull/82502
https://github.com/kubernetes/kubernetes/pull/82503

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1753495
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11251

Comment 1 Alexandros Toptsoglou 2019-09-19 11:16:27 UTC

Tracked as affected the following codestreams: 

SUSE:SLE-12-SP3:Update:Products:CASP30:Update and 
SUSE:SLE-15-SP1:Update:Products:CASP40:Update

Comment 2 Marcus Meissner 2019-09-19 13:43:01 UTC

hmm, bugowner was given the wrong result for some reason...

Comment 5 Marcus Meissner 2019-12-20 14:43:28 UTC

was this referenced in your changes entries=?

Comment 6 Gabriele Sonnu 2022-04-14 12:51:05 UTC

Done.