The vulnerability fixed in this update caused damages through the kubectl cp command that is used to copy files and directories to and from containers. Specifically, this vulnerability allowed attackers to implant a malicious tar package that contains a symbolic link header into an image or a running container. During the process in which the tar package is extracted, it modifies or monitors any files stored in the directory that shares the same name with the symbolic link header.

This vulnerability was fixed in kubectl V1.11.9, V1.12.7, V1.13.5, and V1.14.0. You must use one of these versions of kubectl. For more information, see Install and set up kubectl.