Crafted object type names can cause directory traversal in Kubernetes.
Object names are not validated before being passed to etcd. This allows attackers to write arbitrary files via a crafted object name, hence causing directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2022-0701" }
{ "imports": [ { "path": "k8s.io/kubernetes/pkg/api/rest", "symbols": [ "BeforeCreate" ] }, { "path": "k8s.io/kubernetes/pkg/registry/generic/etcd", "symbols": [ "NamespaceKeyFunc" ] }, { "path": "k8s.io/kubernetes/pkg/api/storage", "symbols": [ "NamespaceKeyFunc", "NoNamespaceKeyFunc" ] }, { "path": "k8s.io/kubernetes/pkg/registry/namespace/etcd", "symbols": [ "NewREST" ] }, { "path": "k8s.io/kubernetes/pkg/registry/node/etcd", "symbols": [ "NewREST" ] }, { "path": "k8s.io/kubernetes/pkg/registry/persistentvolume/etcd", "symbols": [ "NewREST" ] } ] }