CRITICAL✓ PATCH🇬🇧 English

CVE-2018-1002105

CVSS 9.8v3.0pub. 2018-12-05upd. 2024-11-21

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.

oryginał EN
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Kubernetes

    APP
    Kubernetes
    1.9.121.0.0 – 1.9.111.10.0 – 1.10.101.11.0 – 1.11.41.12.0 – 1.12.2
  • Netapp Trident

    APP
    Netapp
    wszystkie wersje
  • Red Hat OpenShift Container Platform

    APP
    Redhat
    3.103.113.23.33.43.53.63.8
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
Tagi
Container
CWE
Referencje

Powiązane podatności

CVE-2019-7609CRITICAL10.0⚠ KEVten sam produkt

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. A...

CVE-2019-1003029CRITICAL9.9⚠ KEVten sam produkt

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/...

CVE-2019-1003030CRITICAL9.9⚠ KEVten sam produkt

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main...

CVE-2018-1000861CRITICAL9.8⚠ KEVten sam produkt

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.13...

CVE-2026-4408CRITICAL9.0PL ✓ten sam produkt

Samba: RCE przez command injection w 'check password script' z podstawieniem %u