CVE-2020-27833: Input Validation
First published: Wed Dec 09 2020(Updated: )
A vulnerability was found in all versions of the `oc` binary packaged in openshift-clients, limited to the `oc image extract` command. An arbitrary file read and/or write can be achieved using a specially crafted container image (.tar file) that holds symbolic links. When a symbolic link is first created pointing within the tarball this bypasses the existing path checks. Subsequent symbolic links can then be created to link outside of the tarball's parent directory. If an executable or configuration file can be overwritten as a result, the vulnerability can turn into arbitrary code execution.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Openshift Container Platform | <=4.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/references
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-27833
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/redhat
- canonical/redhat openshift container platform
- version/redhat openshift container platform/4.7