The kubectl cp command allows users to copy files between containers and user machines. Attackers can implant a malicious TAR package that has a header with a symbolic link to images or running containers. When the kubectl cp command decompresses the TAR package, it can both modify and follow the files in the symbolic link. This vulnerability is fixed in kubectl 1.11.9, 1.12.7, 1.13.5, and 1.14.0. For more information, see Install and set up kubectl. You can use kubectl of the preceding versions to avoid this vulnerability.
All Products
Search
Vulnerability fixed: CVE-2019-1002101 in kubectl cp
Last Updated: Dec 11, 2020
How helpful was this page?
What might be the problems?
More suggestions?