x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: CVE-2019-11246

[tatianab]

CVE-2019-11246 references github.com/kubernetes/kubernetes, which may be a Go module.

Description:
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. Kubernetes affected versions include versions prior to 1.12.9, versions prior to 1.13.6, versions prior to 1.14.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-11246
• fix: CVE-2019-11246: Clean links handling in cp's tar code kubernetes/kubernetes#76788
• web: https://groups.google.com/forum/#!topic/kubernetes-security-announce/NLs2TGbfPdo
• web: https://security.netapp.com/advisory/ntap-20190919-0003/
• Imported by: https://pkg.go.dev/github.com/kubernetes/kubernetes?tab=importedby

Cross references:

• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp: GHSA-34jx-wx69-9x8v #782 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-579h-mv94-g4gp #792 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp: GHSA-6qfg-8799-r575 #802 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-mqf3-28j7-3mj6 #857 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubelet/server: GHSA-qhm4-jxv7-j9pq #867 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/volume/storageos: GHSA-x6mj-w4jf-jmgw #890 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/apiserver: GHSA-xx8c-m748-xr4j #893 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-2394-5535-8j88 #1628 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-jh36-q97c-9928 #1629 NOT_IMPORTABLE
• Module github.com/kubernetes/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: CVE-2021-25736 #2159 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/kubernetes/kubernetes
      vulnerable_at: 1.28.3
      packages:
        - package: Kubernetes
cves:
    - CVE-2019-11246
credits:
    - Charles Holmes, Atredis Partners
references:
    - fix: https://github.com/kubernetes/kubernetes/pull/76788
    - web: https://groups.google.com/forum/#!topic/kubernetes-security-announce/NLs2TGbfPdo
    - web: https://security.netapp.com/advisory/ntap-20190919-0003/

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports