| modules: |
| - module: k8s.io/kubernetes |
| versions: |
| - fixed: 1.1.1 |
| packages: |
| - package: k8s.io/kubernetes/pkg/api/rest |
| symbols: |
| - BeforeCreate |
| - package: k8s.io/kubernetes/pkg/registry/generic/etcd |
| symbols: |
| - NamespaceKeyFunc |
| - package: k8s.io/kubernetes/pkg/storage |
| symbols: |
| - NamespaceKeyFunc |
| - NoNamespaceKeyFunc |
| - package: k8s.io/kubernetes/pkg/registry/namespace/etcd |
| symbols: |
| - NewREST |
| - package: k8s.io/kubernetes/pkg/registry/node/etcd |
| symbols: |
| - NewREST |
| - package: k8s.io/kubernetes/pkg/registry/persistentvolume/etcd |
| symbols: |
| - NewREST |
| description: | |
| Crafted object type names can cause directory traversal in Kubernetes. |
| |
| Object names are not validated before being passed to etcd. This allows |
| attackers to write arbitrary files via a crafted object name, hence causing |
| directory traversal vulnerability in Kubernetes, as used in Red Hat |
| OpenShift Enterprise 3.0. |
| published: 2022-02-15T01:57:18Z |
| cves: |
| - CVE-2015-5305 |
| ghsas: |
| - GHSA-jp32-vmm6-3vf5 |
| credit: liggitt (Jordan Liggitt) |
| references: |
| - fix: https://github.com/kubernetes/kubernetes/pull/16381 |
| - fix: https://github.com/kubernetes/kubernetes/commit/37f730f68c7f06e060f90714439bfb0dbb2df5e7 |
