CVE-2015-5305
Kubernetes: Missing name validation allows path traversal in etcd
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.
Vulnerabilidad de salto de directorio en Kubernetes, tal como se utiliza en Red Hat OpenShift Enterprise 3.0, permite a atacantes escribir a archivos arbitrarios a través de un nombre de tipo objeto manipulado, que no es manejado correctamente antes de pasarlo a etcd.
Kubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal.
Kubernetes allows orchestration and control of Docker containers as used in OpenShift Enterprise 3. Kubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-07-01 CVE Reserved
- 2015-10-27 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2015:1945 | 2023-02-13 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1273969 | 2015-10-27 | |
| https://access.redhat.com/security/cve/CVE-2015-5305 | 2015-10-27 |