Privilege Escalation

Affecting github.com/kubernetes/kubernetes/staging/src/k8s.io/apimachinery/pkg/util/proxy package, versions <1.10.11 || >=1.11.0 <1.11.5 || >=1.12.0 <1.12.3

Do your applications use this vulnerable package? Test your applications

Overview

kubernetes is a Production-Grade Container Scheduling and Management.

Affected versions of this package are vulnerable to Privilege Escalation. Incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.

Remediation

Upgrade kubernetes to versions 1.10.11, 1.11.5, 1.12.3, 1.13.0-rc.1 or higher.

References

CVSS Score

9.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
Jordan Liggitt
CVE
CVE-2018-1002105
CWE
CWE-269
Snyk ID
SNYK-GOLANG-GITHUBCOMKUBERNETESKUBERNETESSTAGINGSRCK8SIOAPIMACHINERYPKGUTILPROXY-72666
Disclosed
05 Dec, 2018
Published
10 Dec, 2018