First published: Wed Sep 26 2018(Updated: )
Improper validation of URL redirection in the Kubernetes API server in versions prior to v1.14.0 allows an attacker-controlled Kubelet to redirect API server requests from streaming endpoints to arbitrary hosts. Impacted API servers will follow the redirect as a GET request with client-certificate credentials for authenticating to the Kubelet.
Credit: jordan@liggitt.net
Affected Software | Affected Version | How to fix |
---|---|---|
Kubernetes Kubernetes | >=1.10.0<=1.13.13 | |
Kubernetes Kubernetes | =1.14.0-alpha0 | |
Kubernetes Kubernetes | =1.14.0-alpha1 | |
Fedoraproject Fedora | =31 | |
redhat/atomic-openshift | <0:3.11.346-1.git.0.ea10721.el7 | 0:3.11.346-1.git.0.ea10721.el7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2018-1002102.
The severity of CVE-2018-1002102 is low with a severity value of 2.6.
Kubernetes API server versions prior to v1.14.0 are affected by CVE-2018-1002102.
An attacker-controlled Kubelet can redirect API server requests from streaming endpoints to arbitrary hosts.
To fix CVE-2018-1002102, update the Kubernetes API server to version 1.14.0 or higher.