Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2015-5305 (GCVE-0-2015-5305)
Vulnerability from cvelistv5
Published
2015-11-06 18:00
Modified
2024-08-06 06:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:41:09.313Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
},
{
"name": "RHSA-2015:1945",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2015:1945"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-10-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-11-06T17:57:03",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
},
{
"name": "RHSA-2015:1945",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2015:1945"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-5305",
"datePublished": "2015-11-06T18:00:00",
"dateReserved": "2015-07-01T00:00:00",
"dateUpdated": "2024-08-06T06:41:09.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2015-5305\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2015-11-06T18:59:00.110\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de salto de directorio en Kubernetes, tal como se utiliza en Red Hat OpenShift Enterprise 3.0, permite a atacantes escribir a archivos arbitrarios a trav\u00e9s de un nombre de tipo objeto manipulado, que no es manejado correctamente antes de pasarlo a etcd.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:P\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift:3.0:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"45690263-84D9-45A1-8C30-3ED2F0F11F47\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2015:1945\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1273969\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2015:1945\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1273969\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
rhsa-2015_1945
Vulnerability from csaf_redhat
Published
2015-10-27 18:41
Modified
2024-11-22 09:32
Summary
Red Hat Security Advisory: kubernetes security update
Notes
Topic
Updated kubernetes packages that fix one security issue are now
available for Red Hat OpenShift Enterprise 3.0.
Red Hat Product Security has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the references section.
Details
Kubernetes allows orchestration and control of Docker containers as used in OpenShift Enterprise 3.
Kubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal. (CVE-2015-5305)
Red Hat would like to thank Jordan Liggitt for discovering and
reporting this issue.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated kubernetes packages that fix one security issue are now \navailable for Red Hat OpenShift Enterprise 3.0.\n\nRed Hat Product Security has rated this update as having Moderate \nsecurity impact. A Common Vulnerability Scoring System (CVSS) base \nscore, which gives a detailed severity rating, is available from the \nCVE link in the references section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kubernetes allows orchestration and control of Docker containers as used in OpenShift Enterprise 3.\n\nKubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal. (CVE-2015-5305)\n\nRed Hat would like to thank Jordan Liggitt for discovering and \nreporting this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1945",
"url": "https://access.redhat.com/errata/RHSA-2015:1945"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1273969",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1945.json"
}
],
"title": "Red Hat Security Advisory: kubernetes security update",
"tracking": {
"current_release_date": "2024-11-22T09:32:53+00:00",
"generator": {
"date": "2024-11-22T09:32:53+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2015:1945",
"initial_release_date": "2015-10-27T18:41:38+00:00",
"revision_history": [
{
"date": "2015-10-27T18:41:38+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-10-27T18:41:38+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T09:32:53+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Enterprise 3.0",
"product": {
"name": "Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:3.0::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-master@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-sdn-ovs@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-node@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-clients@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tuned-profiles-openshift-node@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"product": {
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"product_id": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift@3.0.2.0-0.git.20.656dc3e.el7ose?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src"
},
"product_reference": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Jordan Liggitt"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2015-5305",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2015-10-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1273969"
}
],
"notes": [
{
"category": "description",
"text": "Kubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Kubernetes: Missing name validation allows path traversal in etcd",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5305"
},
{
"category": "external",
"summary": "RHBZ#1273969",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5305",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5305"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5305",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5305"
}
],
"release_date": "2015-10-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-10-27T18:41:38+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1945"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Kubernetes: Missing name validation allows path traversal in etcd"
}
]
}
RHSA-2015:1945
Vulnerability from csaf_redhat
Published
2015-10-27 18:41
Modified
2025-09-25 11:54
Summary
Red Hat Security Advisory: kubernetes security update
Notes
Topic
Updated kubernetes packages that fix one security issue are now
available for Red Hat OpenShift Enterprise 3.0.
Red Hat Product Security has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the references section.
Details
Kubernetes allows orchestration and control of Docker containers as used in OpenShift Enterprise 3.
Kubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal. (CVE-2015-5305)
Red Hat would like to thank Jordan Liggitt for discovering and
reporting this issue.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated kubernetes packages that fix one security issue are now \navailable for Red Hat OpenShift Enterprise 3.0.\n\nRed Hat Product Security has rated this update as having Moderate \nsecurity impact. A Common Vulnerability Scoring System (CVSS) base \nscore, which gives a detailed severity rating, is available from the \nCVE link in the references section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kubernetes allows orchestration and control of Docker containers as used in OpenShift Enterprise 3.\n\nKubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal. (CVE-2015-5305)\n\nRed Hat would like to thank Jordan Liggitt for discovering and \nreporting this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1945",
"url": "https://access.redhat.com/errata/RHSA-2015:1945"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1273969",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1945.json"
}
],
"title": "Red Hat Security Advisory: kubernetes security update",
"tracking": {
"current_release_date": "2025-09-25T11:54:48+00:00",
"generator": {
"date": "2025-09-25T11:54:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.8"
}
},
"id": "RHSA-2015:1945",
"initial_release_date": "2015-10-27T18:41:38+00:00",
"revision_history": [
{
"date": "2015-10-27T18:41:38+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-10-27T18:41:38+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-25T11:54:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Enterprise 3.0",
"product": {
"name": "Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:3.0::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-master@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-sdn-ovs@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-node@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-clients@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tuned-profiles-openshift-node@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"product": {
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"product_id": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift@3.0.2.0-0.git.20.656dc3e.el7ose?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src"
},
"product_reference": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Jordan Liggitt"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2015-5305",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2015-10-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1273969"
}
],
"notes": [
{
"category": "description",
"text": "Kubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Kubernetes: Missing name validation allows path traversal in etcd",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5305"
},
{
"category": "external",
"summary": "RHBZ#1273969",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5305",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5305"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5305",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5305"
}
],
"release_date": "2015-10-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-10-27T18:41:38+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1945"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Kubernetes: Missing name validation allows path traversal in etcd"
}
]
}
rhsa-2015:1945
Vulnerability from csaf_redhat
Published
2015-10-27 18:41
Modified
2025-09-25 11:54
Summary
Red Hat Security Advisory: kubernetes security update
Notes
Topic
Updated kubernetes packages that fix one security issue are now
available for Red Hat OpenShift Enterprise 3.0.
Red Hat Product Security has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the references section.
Details
Kubernetes allows orchestration and control of Docker containers as used in OpenShift Enterprise 3.
Kubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal. (CVE-2015-5305)
Red Hat would like to thank Jordan Liggitt for discovering and
reporting this issue.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated kubernetes packages that fix one security issue are now \navailable for Red Hat OpenShift Enterprise 3.0.\n\nRed Hat Product Security has rated this update as having Moderate \nsecurity impact. A Common Vulnerability Scoring System (CVSS) base \nscore, which gives a detailed severity rating, is available from the \nCVE link in the references section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kubernetes allows orchestration and control of Docker containers as used in OpenShift Enterprise 3.\n\nKubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal. (CVE-2015-5305)\n\nRed Hat would like to thank Jordan Liggitt for discovering and \nreporting this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1945",
"url": "https://access.redhat.com/errata/RHSA-2015:1945"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1273969",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1945.json"
}
],
"title": "Red Hat Security Advisory: kubernetes security update",
"tracking": {
"current_release_date": "2025-09-25T11:54:48+00:00",
"generator": {
"date": "2025-09-25T11:54:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.8"
}
},
"id": "RHSA-2015:1945",
"initial_release_date": "2015-10-27T18:41:38+00:00",
"revision_history": [
{
"date": "2015-10-27T18:41:38+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-10-27T18:41:38+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-25T11:54:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Enterprise 3.0",
"product": {
"name": "Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:3.0::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-master@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-sdn-ovs@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-node@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-clients@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product": {
"name": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_id": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tuned-profiles-openshift-node@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"product": {
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"product_id": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift@3.0.2.0-0.git.20.656dc3e.el7ose?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src"
},
"product_reference": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
"product_id": "7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
},
"product_reference": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Jordan Liggitt"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2015-5305",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2015-10-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1273969"
}
],
"notes": [
{
"category": "description",
"text": "Kubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Kubernetes: Missing name validation allows path traversal in etcd",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5305"
},
{
"category": "external",
"summary": "RHBZ#1273969",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5305",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5305"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5305",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5305"
}
],
"release_date": "2015-10-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-10-27T18:41:38+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1945"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
"7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
"7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Kubernetes: Missing name validation allows path traversal in etcd"
}
]
}
fkie_cve-2015-5305
Vulnerability from fkie_nvd
Published
2015-11-06 18:59
Modified
2025-04-12 10:46
Severity ?
Summary
Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openshift:3.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "45690263-84D9-45A1-8C30-3ED2F0F11F47",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en Kubernetes, tal como se utiliza en Red Hat OpenShift Enterprise 3.0, permite a atacantes escribir a archivos arbitrarios a trav\u00e9s de un nombre de tipo objeto manipulado, que no es manejado correctamente antes de pasarlo a etcd."
}
],
"id": "CVE-2015-5305",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-11-06T18:59:00.110",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2015:1945"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2015:1945"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cnvd-2015-07466
Vulnerability from cnvd
Title: Red Hat OpenShift Enterprise使用Google Kubernetes目录遍历漏洞
Description:
Red Hat OpenShift是美国红帽(Red Hat)公司的一款平台即服务(PaaS)云计算平台,它可构建、测试、部署和运行应用程序。OpenShift Enterprise是一个开源的私有云版本。Google Kubernetes是美国Google公司的一套开源的Docker容器集群管理系统。该系统为容器化的应用提供资源调度、部署运行、服务发现和扩容缩容等功能。
Red Hat OpenShift Enterprise 3.0版本中使用的Google Kubernetes存在目录遍历漏洞。攻击者可通过特制的对象类型名称利用该漏洞写入任意文件。
Severity: 中
Patch Name: Red Hat OpenShift Enterprise使用Google Kubernetes目录遍历漏洞的补丁
Patch Description:
Red Hat OpenShift是美国红帽(Red Hat)公司的一款平台即服务(PaaS)云计算平台,它可构建、测试、部署和运行应用程序。OpenShift Enterprise是一个开源的私有云版本。Google Kubernetes是美国Google公司的一套开源的Docker容器集群管理系统。该系统为容器化的应用提供资源调度、部署运行、服务发现和扩容缩容等功能。 Red Hat OpenShift Enterprise 3.0版本中使用的Google Kubernetes存在目录遍历漏洞。攻击者可通过特制的对象类型名称利用该漏洞写入任意文件。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description:
用户可参考如下供应商提供的安全公告获得补丁信息: https://access.redhat.com/errata/RHSA-2015:1945
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1273969 https://access.redhat.com/errata/RHSA-2015:1945
Impacted products
| Name | Red Hat OpenShift Enterprise 3.0.0.0 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2015-5305"
}
},
"description": "Red Hat OpenShift\u662f\u7f8e\u56fd\u7ea2\u5e3d\uff08Red Hat\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5e73\u53f0\u5373\u670d\u52a1\uff08PaaS\uff09\u4e91\u8ba1\u7b97\u5e73\u53f0\uff0c\u5b83\u53ef\u6784\u5efa\u3001\u6d4b\u8bd5\u3001\u90e8\u7f72\u548c\u8fd0\u884c\u5e94\u7528\u7a0b\u5e8f\u3002OpenShift Enterprise\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u79c1\u6709\u4e91\u7248\u672c\u3002Google Kubernetes\u662f\u7f8e\u56fdGoogle\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684Docker\u5bb9\u5668\u96c6\u7fa4\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u4e3a\u5bb9\u5668\u5316\u7684\u5e94\u7528\u63d0\u4f9b\u8d44\u6e90\u8c03\u5ea6\u3001\u90e8\u7f72\u8fd0\u884c\u3001\u670d\u52a1\u53d1\u73b0\u548c\u6269\u5bb9\u7f29\u5bb9\u7b49\u529f\u80fd\u3002\r\n\r\nRed Hat OpenShift Enterprise 3.0\u7248\u672c\u4e2d\u4f7f\u7528\u7684Google Kubernetes\u5b58\u5728\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7279\u5236\u7684\u5bf9\u8c61\u7c7b\u578b\u540d\u79f0\u5229\u7528\u8be5\u6f0f\u6d1e\u5199\u5165\u4efb\u610f\u6587\u4ef6\u3002",
"discovererName": "Kurt Seifried",
"formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://access.redhat.com/errata/RHSA-2015:1945",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2015-07466",
"openTime": "2015-11-12",
"patchDescription": "Red Hat OpenShift\u662f\u7f8e\u56fd\u7ea2\u5e3d\uff08Red Hat\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5e73\u53f0\u5373\u670d\u52a1\uff08PaaS\uff09\u4e91\u8ba1\u7b97\u5e73\u53f0\uff0c\u5b83\u53ef\u6784\u5efa\u3001\u6d4b\u8bd5\u3001\u90e8\u7f72\u548c\u8fd0\u884c\u5e94\u7528\u7a0b\u5e8f\u3002OpenShift Enterprise\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u79c1\u6709\u4e91\u7248\u672c\u3002Google Kubernetes\u662f\u7f8e\u56fdGoogle\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684Docker\u5bb9\u5668\u96c6\u7fa4\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u4e3a\u5bb9\u5668\u5316\u7684\u5e94\u7528\u63d0\u4f9b\u8d44\u6e90\u8c03\u5ea6\u3001\u90e8\u7f72\u8fd0\u884c\u3001\u670d\u52a1\u53d1\u73b0\u548c\u6269\u5bb9\u7f29\u5bb9\u7b49\u529f\u80fd\u3002\r\nRed Hat OpenShift Enterprise 3.0\u7248\u672c\u4e2d\u4f7f\u7528\u7684Google Kubernetes\u5b58\u5728\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7279\u5236\u7684\u5bf9\u8c61\u7c7b\u578b\u540d\u79f0\u5229\u7528\u8be5\u6f0f\u6d1e\u5199\u5165\u4efb\u610f\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Red Hat OpenShift Enterprise\u4f7f\u7528Google Kubernetes\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "Red Hat OpenShift Enterprise 3.0.0.0"
},
"referenceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969 \r\nhttps://access.redhat.com/errata/RHSA-2015:1945",
"serverity": "\u4e2d",
"submitTime": "2015-11-10",
"title": "Red Hat OpenShift Enterprise\u4f7f\u7528Google Kubernetes\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e"
}
gsd-2015-5305
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2015-5305",
"description": "Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.",
"id": "GSD-2015-5305",
"references": [
"https://www.suse.com/security/cve/CVE-2015-5305.html",
"https://access.redhat.com/errata/RHSA-2015:1945"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2015-5305"
],
"details": "Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.",
"id": "GSD-2015-5305",
"modified": "2023-12-13T01:20:06.603266Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-5305",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://access.redhat.com/errata/RHSA-2015:1945",
"refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2015:1945"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003cv1.1.1",
"affected_versions": "All versions before 1.1.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-22",
"CWE-937"
],
"date": "2022-04-12",
"description": "Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.",
"fixed_versions": [
"v1.1.1"
],
"identifier": "CVE-2015-5305",
"identifiers": [
"GHSA-jp32-vmm6-3vf5",
"CVE-2015-5305"
],
"not_impacted": "All versions starting from 1.1.1",
"package_slug": "go/github.com/kubernetes/kubernetes",
"pubdate": "2022-02-15",
"solution": "Upgrade to version 1.1.1 or above.",
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2015-5305",
"https://github.com/kubernetes/kubernetes/commit/68f2add9bd5d43b9da1424d87d88f83d120e17d0",
"https://access.redhat.com/errata/RHSA-2015:1945",
"https://bugzilla.redhat.com/show_bug.cgi?id=1273969",
"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5305",
"https://github.com/advisories/GHSA-jp32-vmm6-3vf5"
],
"uuid": "891309f1-f5fd-42f6-b8b6-a11482a8a0df",
"versions": [
{
"commit": {
"sha": "60ed5d038a5a3c3c78fdff1315c01aebf5a61cd1",
"tags": [
"v1.1.1"
],
"timestamp": "20151109155645"
},
"number": "v1.1.1"
}
]
},
{
"affected_range": "\u003c1.1.1",
"affected_versions": "All versions before 1.1.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-22",
"CWE-937"
],
"date": "2023-02-17",
"description": "Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.",
"fixed_versions": [
"1.1.1"
],
"identifier": "CVE-2015-5305",
"identifiers": [
"GHSA-jp32-vmm6-3vf5",
"CVE-2015-5305"
],
"not_impacted": "All versions starting from 1.1.1",
"package_slug": "go/k8s.io/kubernetes",
"pubdate": "2022-02-15",
"solution": "Upgrade to version 1.1.1 or above.",
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2015-5305",
"https://github.com/kubernetes/kubernetes/commit/68f2add9bd5d43b9da1424d87d88f83d120e17d0",
"https://access.redhat.com/errata/RHSA-2015:1945",
"https://bugzilla.redhat.com/show_bug.cgi?id=1273969",
"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5305",
"https://access.redhat.com/security/cve/CVE-2015-5305",
"https://github.com/kubernetes/kubernetes/pull/16381",
"https://github.com/kubernetes/kubernetes/commit/37f730f68c7f06e060f90714439bfb0dbb2df5e7",
"https://pkg.go.dev/vuln/GO-2022-0701",
"https://github.com/advisories/GHSA-jp32-vmm6-3vf5"
],
"uuid": "536a8f06-3d57-4817-aa83-3ecf9d88e300"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:openshift:3.0:*:*:*:enterprise:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-5305"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
},
{
"name": "RHSA-2015:1945",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2015:1945"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2023-02-13T00:53Z",
"publishedDate": "2015-11-06T18:59Z"
}
}
}
ghsa-jp32-vmm6-3vf5
Vulnerability from github
Published
2022-02-15 01:57
Modified
2023-08-30 11:46
Severity ?
VLAI Severity ?
Summary
Directory Traversal in Kubernetes
Details
Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/kubernetes/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-5305"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-20T16:19:56Z",
"nvd_published_at": "2015-11-06T18:59:00Z",
"severity": "MODERATE"
},
"details": "Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.",
"id": "GHSA-jp32-vmm6-3vf5",
"modified": "2023-08-30T11:46:16Z",
"published": "2022-02-15T01:57:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5305"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/pull/16381"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/37f730f68c7f06e060f90714439bfb0dbb2df5e7"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/68f2add9bd5d43b9da1424d87d88f83d120e17d0"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2015:1945"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2015-5305"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/kubernetes"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0701"
},
{
"type": "WEB",
"url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5305"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Directory Traversal in Kubernetes"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…