Arbitrary Command Injection

Affecting github.com/kubernetes/kubernetes/pkg/util/mount package, versions >=1.9.0 <1.9.10 || >=1.10.0 <1.10.6 || >=1.11.0 <1.11.2

Do your applications use this vulnerable package? Test your applications

Overview

github.com/kubernetes/kubernetes/pkg/util/mount is a Production-Grade Container Scheduling and Management.

Affected versions of this package are vulnerable to Arbitrary Command Injection. User input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection.

Remediation

Upgrade github.com/kubernetes/kubernetes/pkg/util/mount to version 1.9.10, 1.10.6, 1.11.2 or higher.

References

CVSS Score

7.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    Low
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Credit
andyzhangx
CVE
CVE-2018-1002101
CWE
CWE-78
Snyk ID
SNYK-GOLANG-GITHUBCOMKUBERNETESKUBERNETESPKGUTILMOUNT-72885
Disclosed
03 Jul, 2018
Published
03 Jan, 2019