data/reports/GO-2022-0701.yaml - vulndb - Git at Google

 id: GO-2022-0701
 modules:
     - module: k8s.io/kubernetes
       versions:
         - fixed: 1.1.1
       vulnerable_at: 1.1.0
       packages:
         - package: k8s.io/kubernetes/pkg/api/rest
           symbols:
             - BeforeCreate
           skip_fix: 'TODO: Revisit this reason (Dependency github.com/docker/docker/pkg/units no longer exists)'
         - package: k8s.io/kubernetes/pkg/registry/generic/etcd
           symbols:
             - NamespaceKeyFunc
           skip_fix: 'TODO: Revisit this reason (Dependency github.com/docker/docker/pkg/units no longer exists)'
         - package: k8s.io/kubernetes/pkg/api/storage
           symbols:
             - NamespaceKeyFunc
             - NoNamespaceKeyFunc
           skip_fix: 'TODO: Revisit this reason (Dependency github.com/docker/docker/pkg/units no longer exists)'
         - package: k8s.io/kubernetes/pkg/registry/namespace/etcd
           symbols:
             - NewREST
           skip_fix: 'TODO: Revisit this reason (Dependency github.com/docker/docker/pkg/units no longer exists)'
         - package: k8s.io/kubernetes/pkg/registry/node/etcd
           symbols:
             - NewREST
           skip_fix: 'TODO: Revisit this reason (Dependency github.com/docker/docker/pkg/units no longer exists)'
         - package: k8s.io/kubernetes/pkg/registry/persistentvolume/etcd
           symbols:
             - NewREST
           skip_fix: 'TODO: Revisit this reason (Dependency github.com/docker/docker/pkg/units no longer exists)'
 summary: Directory traversal in k8s.io/kubernetes
 description: |-
     Crafted object type names can cause directory traversal in Kubernetes.

     Object names are not validated before being passed to etcd. This allows
     attackers to write arbitrary files via a crafted object name, hence causing
     directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift
     Enterprise 3.0.
 published: 2022-02-15T01:57:18Z
 cves:
     - CVE-2015-5305
 ghsas:
     - GHSA-jp32-vmm6-3vf5
 credits:
     - liggitt (Jordan Liggitt)
 references:
     - fix: https://github.com/kubernetes/kubernetes/pull/16381
     - fix: https://github.com/kubernetes/kubernetes/commit/37f730f68c7f06e060f90714439bfb0dbb2df5e7
 review_status: REVIEWED
	id: GO-2022-0701
	modules:
	- module: k8s.io/kubernetes
	versions:
	- fixed: 1.1.1
	vulnerable_at: 1.1.0
	packages:
	- package: k8s.io/kubernetes/pkg/api/rest
	symbols:
	- BeforeCreate
	skip_fix: 'TODO: Revisit this reason (Dependency github.com/docker/docker/pkg/units no longer exists)'
	- package: k8s.io/kubernetes/pkg/registry/generic/etcd
	symbols:
	- NamespaceKeyFunc
	skip_fix: 'TODO: Revisit this reason (Dependency github.com/docker/docker/pkg/units no longer exists)'
	- package: k8s.io/kubernetes/pkg/api/storage
	symbols:
	- NamespaceKeyFunc
	- NoNamespaceKeyFunc
	skip_fix: 'TODO: Revisit this reason (Dependency github.com/docker/docker/pkg/units no longer exists)'
	- package: k8s.io/kubernetes/pkg/registry/namespace/etcd
	symbols:
	- NewREST
	skip_fix: 'TODO: Revisit this reason (Dependency github.com/docker/docker/pkg/units no longer exists)'
	- package: k8s.io/kubernetes/pkg/registry/node/etcd
	symbols:
	- NewREST
	skip_fix: 'TODO: Revisit this reason (Dependency github.com/docker/docker/pkg/units no longer exists)'
	- package: k8s.io/kubernetes/pkg/registry/persistentvolume/etcd
	symbols:
	- NewREST
	skip_fix: 'TODO: Revisit this reason (Dependency github.com/docker/docker/pkg/units no longer exists)'
	summary: Directory traversal in k8s.io/kubernetes
	description: \|-
	Crafted object type names can cause directory traversal in Kubernetes.

	Object names are not validated before being passed to etcd. This allows
	attackers to write arbitrary files via a crafted object name, hence causing
	directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift
	Enterprise 3.0.
	published: 2022-02-15T01:57:18Z
	cves:
	- CVE-2015-5305
	ghsas:
	- GHSA-jp32-vmm6-3vf5
	credits:
	- liggitt (Jordan Liggitt)
	references:
	- fix: https://github.com/kubernetes/kubernetes/pull/16381
	- fix: https://github.com/kubernetes/kubernetes/commit/37f730f68c7f06e060f90714439bfb0dbb2df5e7
	review_status: REVIEWED