Kubernetes 1.12.x < 1.12.9 / 1.13.x < 1.13.6 / 1.14.x < 1.14.2 kubectl directory traversal
Medium Nessus Plugin ID 126468
SynopsisThe remote host contains an application affected by a directory traversal vulnerability.
DescriptionThe version of Kubernetes installed on the remote host is a version prior to 1.12.9, or 1.13.x prior to 1.13.6, or 1.14.x prior to 1.14.2. It is, therefore, affected by a directory traversal vulnerability in the kubectl cp command due to mishandling of symlinks when copying files from a running container. An unauthenticated, remote attacker can exploit this, by convincing a user to use kubectl cp with a malicious container to overwrite arbitrary files on the remote host.
SolutionUpgrade to Kubernetes 1.12.9, 1.13.6, 1.14.2 or later, please refer to the vendor advisory.