CVE-2018-1002100
Kubernetes arbitrary file overwrite in k8s.io/kubernetes
5.5
MEDIUM
CVSS 3.1
EPSS 0.51%
Description
In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.
How to fix CVE-2018-1002100
To remediate CVE-2018-1002100, upgrade the affected package to a fixed version below.
- Debian/kubernetes—upgrade to 1.17.4-1 or later
- —upgrade to 1.9.6 or later
- —upgrade to 1.9.6 or later
Is CVE-2018-1002100 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.17.4-1
- >= 1.5.0-alpha.0, < 1.9.6
- >= 1.5.0, < 1.9.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |