{
  "threat_severity" : "Moderate",
  "public_date" : "2019-09-18T00:00:00Z",
  "bugzilla" : {
    "description" : "kubernetes: `kubectl cp` allows for arbitrary file write via double symlinks",
    "id" : "1753495",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1753495"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-59",
  "details" : [ "The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree." ],
  "statement" : "This issue did not affect the version of Kubernetes(embedded in heketi) shipped with Red Hat Gluster Storage 3 as it does not include the symlink support for kubectl cp.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "release_date" : "2019-11-18T00:00:00Z",
    "advisory" : "RHSA-2019:3905",
    "cpe" : "cpe:/a:redhat:openshift:3.11::el7",
    "package" : "atomic-openshift-0:3.11.154-1.git.0.7a097ad.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.9",
    "release_date" : "2019-11-07T00:00:00Z",
    "advisory" : "RHSA-2019:3811",
    "cpe" : "cpe:/a:redhat:openshift:3.9::el7",
    "package" : "atomic-openshift-0:3.9.102-1.git.0.6411f52.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.1",
    "release_date" : "2019-10-30T00:00:00Z",
    "advisory" : "RHSA-2019:3266",
    "cpe" : "cpe:/a:redhat:openshift:4.1::el7",
    "package" : "openshift-0:4.1.21-201910220952.git.0.493dbf6.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.1",
    "release_date" : "2019-10-30T00:00:00Z",
    "advisory" : "RHSA-2019:3267",
    "cpe" : "cpe:/a:redhat:openshift:4.1::el7",
    "package" : "openshift4/ose-cli:v4.1.21-201910230924"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.10",
    "fix_state" : "Affected",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.10"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Not affected",
    "package_name" : "heketi",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-11251\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-11251\nhttps://groups.google.com/forum/#!msg/kubernetes-announce/YYtEFdFimZ4/nZnOezZuBgAJ" ],
  "name" : "CVE-2019-11251",
  "csaw" : false
}