Vulnerability Report: GO-2022-0701

CVE-2015-5305, GHSA-jp32-vmm6-3vf5
Affects: k8s.io/kubernetes
Published: Feb 15, 2022
Modified: Jun 12, 2023

Crafted object type names can cause directory traversal in Kubernetes. Object names are not validated before being passed to etcd. This allows attackers to write arbitrary files via a crafted object name, hence causing directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0.

Affected Packages

Path

Versions

Symbols
k8s.io/kubernetes/pkg/api/rest

before v1.1.1
- BeforeCreate
k8s.io/kubernetes/pkg/registry/generic/etcd

before v1.1.1
- NamespaceKeyFunc
k8s.io/kubernetes/pkg/storage

before v1.1.1
- NamespaceKeyFunc
- NoNamespaceKeyFunc
k8s.io/kubernetes/pkg/registry/namespace/etcd

before v1.1.1
- NewREST
k8s.io/kubernetes/pkg/registry/node/etcd

before v1.1.1
- NewREST
k8s.io/kubernetes/pkg/registry/persistentvolume/etcd

before v1.1.1
- NewREST

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Vulnerability Report: GO-2022-0701

Affected Packages

Aliases

References

Credits

Feedback