CVE-2018-1002100: Improper Input Validation

May 13, 2022 (updated July 21, 2023)

In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.

References

bugzilla.redhat.com/show_bug.cgi?id=1564305
github.com/advisories/GHSA-2jq6-ffph-p4h8
github.com/kubernetes/kubernetes/issues/61297
hansmi.ch/articles/2018-04-openshift-s2i-security
nvd.nist.gov/vuln/detail/CVE-2018-1002100

Detect and mitigate CVE-2018-1002100 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →