Bug 1659877 (CVE-2018-1002101) - CVE-2018-1002101 kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection
Summary: CVE-2018-1002101 kubernetes: Improper input validation while setting up volum...
Keywords:
Status: NEW
Alias: CVE-2018-1002101
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1659878 1659879 1659880 1659881 1679391 1679392
Blocks: 1659882
TreeView+ depends on / blocked
 
Reported: 2018-12-17 06:06 UTC by Sam Fowler
Modified: 2019-09-29 15:04 UTC (History)
18 users (show)

Fixed In Version: kubernetes 1.12.0, kubernetes 1.11.2, kubernetes 1.10.6, kubernetes 1.9.10
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Sam Fowler 2018-12-17 06:06:54 UTC
In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection.


Upstream Issue:

https://github.com/kubernetes/kubernetes/issues/65750


Upstream Patches:

https://github.com/kubernetes/kubernetes/commit/d65039c56ce (v1.12.0)
https://github.com/kubernetes/kubernetes/commit/914e404d3fc (v1.11.2)
https://github.com/kubernetes/kubernetes/commit/46981ede3a6 (v1.10.6)
https://github.com/kubernetes/kubernetes/commit/b2fb73ffead (v1.9.10)

Comment 1 Sam Fowler 2018-12-17 06:07:15 UTC
Created kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 1659878]


Created kubernetes:1.1/kubernetes tracking bugs for this issue:

Affects: fedora-29 [bug 1659879]


Created kubernetes:openshift-3.10/origin tracking bugs for this issue:

Affects: fedora-29 [bug 1659880]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1659881]


Note You need to log in before you can comment on or make changes to this bug.