CVE-2017-1002102: Kubernetes arbitrary file overwrite

May 13, 2022 (updated July 26, 2023)

In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running.

References

access.redhat.com/errata/RHSA-2018:0475
github.com/advisories/GHSA-mm7g-f2gg-cw8g
github.com/kubernetes/kubernetes/issues/60814
nvd.nist.gov/vuln/detail/CVE-2017-1002102

Detect and mitigate CVE-2017-1002102 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →