Another security issue was discovered with the Kubernetes `kubectl cp` command, before versions 1.12.9, 1.13.6 and 1.14.2, that could enable a directory traversal such that a malicious container could replace or create files on a user’s workstation. The vulnerability is a client-side defect and requires user interaction to be exploited. The details for this vulnerability are very similar to CVE-2019-1002101. The original fix for that issue was incomplete and a new exploit method was discovered. Upstream Fix: https://github.com/kubernetes/kubernetes/pull/76788
Acknowledgments: Name: the Kubernetes Product Security Committee Upstream: Charles Holmes (Atredis Partners)
External Reference: https://groups.google.com/forum/#!topic/kubernetes-dev/OxFMDVnqk60
Created kubernetes tracking bugs for this issue: Affects: fedora-all [bug 1722684] Created kubernetes:1.10/kubernetes tracking bugs for this issue: Affects: fedora-all [bug 1722682] Created kubernetes:openshift-3.10/origin tracking bugs for this issue: Affects: fedora-all [bug 1722683]
In Gluster, kubernetes version embedded with heketi is older than 1.12.9. Filed trackers, this may end up WONTFIX as kubernetes is not used directly by Gluster.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.10 Via RHSA-2019:1632 https://access.redhat.com/errata/RHSA-2019:1632
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2019:1633 https://access.redhat.com/errata/RHSA-2019:1633
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11246
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.9 Via RHSA-2019:1852 https://access.redhat.com/errata/RHSA-2019:1852