Bug 1133113 (CVE-2019-11244) - VUL-1: CVE-2019-11244: kubernetes: schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --ca
Summary: VUL-1: CVE-2019-11244: kubernetes: schema info is cached by kubectl in the lo...
Status: RESOLVED FIXED
Alias: CVE-2019-11244
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Containers Team
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/230074/
Whiteboard: CVSSv3:SUSE:CVE-2019-11244:5.6:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-23 14:17 UTC by Marcus Meissner
Modified: 2024-07-19 12:38 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-04-23 14:17:04 UTC 
CVE-2019-11244

In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location
specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with
world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed
at a different location accessible to other users/groups, the written files may
be modified by other users/groups and disrupt the kubectl invocation.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11244
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11244
https://github.com/kubernetes/kubernetes/issues/76676
Comment 4 Alexandre Vicenzi 2024-07-19 08:25:54 UTC 
This was fixed ages ago but never mentioned in the changelog. Currently, we have Kubernetes 1.30 and this was fixed in 1.15.

Marcus, can you close this?
Comment 6 Marcus Meissner 2024-07-19 12:38:43 UTC 
done