CVE-2017-1002101
First published: Tue Dec 12 2017(Updated: )
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem.
Credit: jordan@liggitt.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Kubernetes Kubernetes | >=1.3.0<=1.3.10 | |
| Kubernetes Kubernetes | >=1.4.0<=1.4.12 | |
| Kubernetes Kubernetes | >=1.5.0<=1.5.8 | |
| Kubernetes Kubernetes | >=1.6.0<=1.6.13 | |
| Kubernetes Kubernetes | >=1.7.0<1.7.14 | |
| Kubernetes Kubernetes | >=1.8.0<1.8.9 | |
| Kubernetes Kubernetes | >=1.9.0<1.9.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html
- https://access.redhat.com/errata/RHSA-2018:0475
- https://github.com/bgeesaman/subpath-exploit/
- https://github.com/kubernetes/kubernetes/issues/60813
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1554420
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1554569
- https://access.redhat.com/errata/RHSA-2018:1072
- https://access.redhat.com/security/cve/cve-2017-1002101
- https://bugzilla.redhat.com/show_bug.cgi?id=1525130
Frequently Asked Questions
What is CVE-2017-1002101?
CVE-2017-1002101 is a vulnerability in Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x, and prior to versions 1.7.14, 1.8.9, and 1.9.4 that allows containers using subpath volume mounts to access files/directories outside of the volume, including the host's filesystem.
What is the severity of CVE-2017-1002101?
The severity of CVE-2017-1002101 is critical with a CVSS score of 9.6.
How can I check if my Kubernetes version is affected by CVE-2017-1002101?
You can check if your Kubernetes version is affected by CVE-2017-1002101 by verifying if it falls within the vulnerable version ranges: 1.3.x, 1.4.x, 1.5.x, 1.6.x, and prior to versions 1.7.14, 1.8.9, and 1.9.4.
How do I fix CVE-2017-1002101 in Kubernetes?
To fix CVE-2017-1002101 in Kubernetes, you need to upgrade to versions 1.7.14, 1.8.9, or 1.9.4 or later.
Where can I find more information about CVE-2017-1002101?
You can find more information about CVE-2017-1002101 in the following references: [https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1554420](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1554420), [https://access.redhat.com/errata/RHSA-2018:0475](https://access.redhat.com/errata/RHSA-2018:0475), [https://github.com/kubernetes/kubernetes/issues/60813](https://github.com/kubernetes/kubernetes/issues/60813).
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-1002101
- agent/first-publish-date
- agent/last-modified-date
- agent/tags
- agent/severity
- agent/weakness
- agent/author
- agent/references
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/kubernetes
- canonical/kubernetes kubernetes
- version/kubernetes kubernetes/1.3.0
- version/kubernetes kubernetes/1.3.10
- version/kubernetes kubernetes/1.4.0
- version/kubernetes kubernetes/1.4.12
- version/kubernetes kubernetes/1.5.0
- version/kubernetes kubernetes/1.5.8
- version/kubernetes kubernetes/1.6.0
- version/kubernetes kubernetes/1.6.13
- version/kubernetes kubernetes/1.7.0
- version/kubernetes kubernetes/1.8.0
- version/kubernetes kubernetes/1.9.0