CVE-2018-1103

Impact:
Moderate
Public Date:
2018-06-12
CWE:
CWE-22
Bugzilla:
1563993: CVE-2018-1103 source-to-image: Unsanitized paths in tar.go:ExtractTarStreamFromTarReader() allow malicious containers to overwrite files on the client machine
An improper validation of user input flaw was found in the source-to-image component of Openshift. An attacker who could trick a user into using the command to copy files locally, from a pod, could override files outside of the target directory of the command.

Find out more about CVE-2018-1103 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 6.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality None
Integrity Impact High
Availability Impact None

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux source-to-image Affected
Red Hat OpenShift Enterprise 3 source-to-image Affected

Acknowledgements

Red Hat would like to thank Michael Hanselmann (Independent) for reporting this issue.

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.