The kubectl cp command allows users to copy files between containers and user machines. Attackers can implant a malicious TAR package that has a header with a symbolic link to images or running containers. When the kubectl cp command decompresses the TAR package, it can both modify and follow the files in the symbolic link. This vulnerability is fixed in kubectl 1.11.9, 1.12.7, 1.13.5, and 1.14.0. For more information, see Install and set up kubectl. You can use kubectl of the preceding versions to avoid this vulnerability.