CVE-2018-1002103: Cross-Site Request Forgery (CSRF)

May 13, 2022 (updated July 21, 2023)

In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000. In VM environments where the IP is easy to predict, the attacker can use DNS rebinding to indirectly make requests to the Kubernetes Dashboard, create a new Kubernetes Deployment running arbitrary code. If minikube mount is in use, the attacker could also directly access the host filesystem.

References

github.com/advisories/GHSA-6pcv-qqx4-mxm3
github.com/kubernetes/minikube/issues/3208
nvd.nist.gov/vuln/detail/CVE-2018-1002103

Detect and mitigate CVE-2018-1002103 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →