{
  "threat_severity" : "Moderate",
  "public_date" : "2018-03-06T00:00:00Z",
  "bugzilla" : {
    "description" : "kubernetes: Malicious containers can delete any file from the node",
    "id" : "1551818",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1551818"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-59",
  "details" : [ "In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running.", "This vulnerability allows containers using a secret, configMap, projected, or downwardAPI volume to trigger deletion of arbitrary files and directories on the nodes where they are running. An attacker could use this flaw to delete arbitrary file or directories on node host." ],
  "acknowledgement" : "This issue was discovered by Joel Smith (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.3",
    "release_date" : "2018-03-12T00:00:00Z",
    "advisory" : "RHSA-2018:0475",
    "cpe" : "cpe:/a:redhat:openshift:3.3::el7",
    "package" : "atomic-openshift-0:3.3.1.46.11-1.git.4.e236015.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.4",
    "release_date" : "2018-03-12T00:00:00Z",
    "advisory" : "RHSA-2018:0475",
    "cpe" : "cpe:/a:redhat:openshift:3.4::el7",
    "package" : "atomic-openshift-0:3.4.1.44.38-1.git.4.bb8df08.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.5",
    "release_date" : "2018-03-12T00:00:00Z",
    "advisory" : "RHSA-2018:0475",
    "cpe" : "cpe:/a:redhat:openshift:3.5::el7",
    "package" : "atomic-openshift-0:3.5.5.31.48-1.git.4.ff6153e.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.6",
    "release_date" : "2018-03-12T00:00:00Z",
    "advisory" : "RHSA-2018:0475",
    "cpe" : "cpe:/a:redhat:openshift:3.6::el7",
    "package" : "atomic-openshift-0:3.6.173.0.96-1.git.4.e6301f8.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.7",
    "release_date" : "2018-03-12T00:00:00Z",
    "advisory" : "RHSA-2018:0475",
    "cpe" : "cpe:/a:redhat:openshift:3.7::el7",
    "package" : "atomic-openshift-0:3.7.23-1.git.5.83efd71.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "kubernetes",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Not affected",
    "package_name" : "heketi",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-1002102\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-1002102" ],
  "name" : "CVE-2017-1002102",
  "csaw" : false
}