9.8

CVE-2018-1002105

Exploit

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
KubernetesKubernetes Version >= 1.0.0 <= 1.9.11
KubernetesKubernetes Version >= 1.10.0 <= 1.10.10
KubernetesKubernetes Version >= 1.11.0 <= 1.11.4
KubernetesKubernetes Version >= 1.12.0 <= 1.12.2
KubernetesKubernetes Version1.9.12 Updatebeta0
NetappTrident Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 90.7% 0.996
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
jordan@liggitt.net 9.8 3.9 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
http://www.securityfocus.com/bid/106068
Third Party Advisory
VDB Entry
https://github.com/evict/poc_CVE-2018-1002105
Third Party Advisory
Exploit
https://github.com/kubernetes/kubernetes/issues/71411
Patch
Third Party Advisory
Issue Tracking
Mitigation
https://www.exploit-db.com/exploits/46052/
Third Party Advisory
Exploit
VDB Entry
https://www.exploit-db.com/exploits/46053/
Third Party Advisory
Exploit
VDB Entry