CVE-2019-11244: Incorrect Permission Assignment for Critical Resource
(updated )
In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by –cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If –cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.
References
- www.securityfocus.com/bid/108064
- access.redhat.com/errata/RHSA-2019:3942
- access.redhat.com/errata/RHSA-2020:0020
- access.redhat.com/errata/RHSA-2020:0074
- github.com/advisories/GHSA-2575-pghm-6qqx
- github.com/kubernetes/client-go/commit/790a4f63632139cf6731014d00a9a8338f1fbd7d
- github.com/kubernetes/kubernetes/issues/76676
- github.com/kubernetes/kubernetes/pull/77874
- github.com/kubernetes/kubernetes/pull/77874/commits/f228ae3364729caed59087e23c42868454bc3ff4
- nvd.nist.gov/vuln/detail/CVE-2019-11244
- security.netapp.com/advisory/ntap-20190509-0002/
Detect and mitigate CVE-2019-11244 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →