Closed
Description
In GitHub Security Advisory GHSA-579h-mv94-g4gp, there is a vulnerability in the following Go packages or modules:
| Unit | Fixed | Vulnerable Ranges |
|---|---|---|
| github.com/kubernetes/kubernetes | 1.12.3 | >= 1.12.0, < 1.12.3 |
Cross references:
- CVE-2018-1002105 appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-579h-mv94-g4gp #792 NOT_IMPORTABLE
- GHSA-579h-mv94-g4gp appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-579h-mv94-g4gp #792 NOT_IMPORTABLE
See doc/triage.md for instructions on how to triage this report.
modules:
- module: TODO
versions:
- introduced: 1.12.0
fixed: 1.12.3
packages:
- package: github.com/kubernetes/kubernetes
- module: TODO
versions:
- introduced: 1.11.0
fixed: 1.11.5
packages:
- package: github.com/kubernetes/kubernetes
- module: TODO
versions:
- fixed: 1.10.11
packages:
- package: github.com/kubernetes/kubernetes
description: In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect
handling of error responses to proxied upgrade requests in the kube-apiserver
allowed specially crafted requests to establish a connection through the Kubernetes
API server to backend servers, then send arbitrary requests over the same connection
directly to the backend, authenticated with the Kubernetes API server's TLS credentials
used to establish the backend connection.
cves:
- CVE-2018-1002105
ghsas:
- GHSA-579h-mv94-g4gp