cvelistv5 - cve-2015-5305

CVE-2015-5305 (GCVE-0-2015-5305)

Vulnerability from cvelistv5 – Published: 2015-11-06 18:00 – Updated: 2024-08-06 06:41

Summary

Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

CNVD-2015-07466

Vulnerability from cnvd - Published: 2015-11-12

Title

Red Hat OpenShift Enterprise使用Google Kubernetes目录遍历漏洞

Description

Red Hat OpenShift是美国红帽（Red Hat）公司的一款平台即服务（PaaS）云计算平台，它可构建、测试、部署和运行应用程序。OpenShift Enterprise是一个开源的私有云版本。Google Kubernetes是美国Google公司的一套开源的Docker容器集群管理系统。该系统为容器化的应用提供资源调度、部署运行、服务发现和扩容缩容等功能。 Red Hat OpenShift Enterprise 3.0版本中使用的Google Kubernetes存在目录遍历漏洞。攻击者可通过特制的对象类型名称利用该漏洞写入任意文件。

Severity

中

Patch Name

Red Hat OpenShift Enterprise使用Google Kubernetes目录遍历漏洞的补丁

Patch Description

Formal description

用户可参考如下供应商提供的安全公告获得补丁信息： https://access.redhat.com/errata/RHSA-2015:1945

Reference

https://bugzilla.redhat.com/show_bug.cgi?id=1273969 https://access.redhat.com/errata/RHSA-2015:1945

Impacted products

Name
Red Hat OpenShift Enterprise 3.0.0.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-5305"
    }
  },
  "description": "Red Hat OpenShift\u662f\u7f8e\u56fd\u7ea2\u5e3d\uff08Red Hat\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5e73\u53f0\u5373\u670d\u52a1\uff08PaaS\uff09\u4e91\u8ba1\u7b97\u5e73\u53f0\uff0c\u5b83\u53ef\u6784\u5efa\u3001\u6d4b\u8bd5\u3001\u90e8\u7f72\u548c\u8fd0\u884c\u5e94\u7528\u7a0b\u5e8f\u3002OpenShift Enterprise\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u79c1\u6709\u4e91\u7248\u672c\u3002Google Kubernetes\u662f\u7f8e\u56fdGoogle\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684Docker\u5bb9\u5668\u96c6\u7fa4\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u4e3a\u5bb9\u5668\u5316\u7684\u5e94\u7528\u63d0\u4f9b\u8d44\u6e90\u8c03\u5ea6\u3001\u90e8\u7f72\u8fd0\u884c\u3001\u670d\u52a1\u53d1\u73b0\u548c\u6269\u5bb9\u7f29\u5bb9\u7b49\u529f\u80fd\u3002\r\n\r\nRed Hat OpenShift Enterprise 3.0\u7248\u672c\u4e2d\u4f7f\u7528\u7684Google Kubernetes\u5b58\u5728\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7279\u5236\u7684\u5bf9\u8c61\u7c7b\u578b\u540d\u79f0\u5229\u7528\u8be5\u6f0f\u6d1e\u5199\u5165\u4efb\u610f\u6587\u4ef6\u3002",
  "discovererName": "Kurt Seifried",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://access.redhat.com/errata/RHSA-2015:1945",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-07466",
  "openTime": "2015-11-12",
  "patchDescription": "Red Hat OpenShift\u662f\u7f8e\u56fd\u7ea2\u5e3d\uff08Red Hat\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5e73\u53f0\u5373\u670d\u52a1\uff08PaaS\uff09\u4e91\u8ba1\u7b97\u5e73\u53f0\uff0c\u5b83\u53ef\u6784\u5efa\u3001\u6d4b\u8bd5\u3001\u90e8\u7f72\u548c\u8fd0\u884c\u5e94\u7528\u7a0b\u5e8f\u3002OpenShift Enterprise\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u79c1\u6709\u4e91\u7248\u672c\u3002Google Kubernetes\u662f\u7f8e\u56fdGoogle\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684Docker\u5bb9\u5668\u96c6\u7fa4\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u4e3a\u5bb9\u5668\u5316\u7684\u5e94\u7528\u63d0\u4f9b\u8d44\u6e90\u8c03\u5ea6\u3001\u90e8\u7f72\u8fd0\u884c\u3001\u670d\u52a1\u53d1\u73b0\u548c\u6269\u5bb9\u7f29\u5bb9\u7b49\u529f\u80fd\u3002\r\nRed Hat OpenShift Enterprise 3.0\u7248\u672c\u4e2d\u4f7f\u7528\u7684Google Kubernetes\u5b58\u5728\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7279\u5236\u7684\u5bf9\u8c61\u7c7b\u578b\u540d\u79f0\u5229\u7528\u8be5\u6f0f\u6d1e\u5199\u5165\u4efb\u610f\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Red Hat OpenShift Enterprise\u4f7f\u7528Google Kubernetes\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Red Hat OpenShift Enterprise 3.0.0.0"
  },
  "referenceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969 \r\nhttps://access.redhat.com/errata/RHSA-2015:1945",
  "serverity": "\u4e2d",
  "submitTime": "2015-11-10",
  "title": "Red Hat OpenShift Enterprise\u4f7f\u7528Google Kubernetes\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e"
}

GHSA-JP32-VMM6-3VF5

Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2023-08-30 11:46

Summary

Directory Traversal in Kubernetes

Details

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kubernetes/kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-5305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-20T16:19:56Z",
    "nvd_published_at": "2015-11-06T18:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.",
  "id": "GHSA-jp32-vmm6-3vf5",
  "modified": "2023-08-30T11:46:16Z",
  "published": "2022-02-15T01:57:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5305"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/pull/16381"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/commit/37f730f68c7f06e060f90714439bfb0dbb2df5e7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/commit/68f2add9bd5d43b9da1424d87d88f83d120e17d0"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2015:1945"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2015-5305"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kubernetes/kubernetes"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0701"
    },
    {
      "type": "WEB",
      "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5305"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directory Traversal in Kubernetes"
}

GSD-2015-5305

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2015-5305

Aliases

CVE-2015-5305

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2015-5305",
    "description": "Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.",
    "id": "GSD-2015-5305",
    "references": [
      "https://www.suse.com/security/cve/CVE-2015-5305.html",
      "https://access.redhat.com/errata/RHSA-2015:1945"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2015-5305"
      ],
      "details": "Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.",
      "id": "GSD-2015-5305",
      "modified": "2023-12-13T01:20:06.603266Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2015-5305",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://access.redhat.com/errata/RHSA-2015:1945",
            "refsource": "MISC",
            "url": "https://access.redhat.com/errata/RHSA-2015:1945"
          },
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969",
            "refsource": "MISC",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003cv1.1.1",
          "affected_versions": "All versions before 1.1.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-937"
          ],
          "date": "2022-04-12",
          "description": "Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.",
          "fixed_versions": [
            "v1.1.1"
          ],
          "identifier": "CVE-2015-5305",
          "identifiers": [
            "GHSA-jp32-vmm6-3vf5",
            "CVE-2015-5305"
          ],
          "not_impacted": "All versions starting from 1.1.1",
          "package_slug": "go/github.com/kubernetes/kubernetes",
          "pubdate": "2022-02-15",
          "solution": "Upgrade to version 1.1.1 or above.",
          "title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2015-5305",
            "https://github.com/kubernetes/kubernetes/commit/68f2add9bd5d43b9da1424d87d88f83d120e17d0",
            "https://access.redhat.com/errata/RHSA-2015:1945",
            "https://bugzilla.redhat.com/show_bug.cgi?id=1273969",
            "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5305",
            "https://github.com/advisories/GHSA-jp32-vmm6-3vf5"
          ],
          "uuid": "891309f1-f5fd-42f6-b8b6-a11482a8a0df",
          "versions": [
            {
              "commit": {
                "sha": "60ed5d038a5a3c3c78fdff1315c01aebf5a61cd1",
                "tags": [
                  "v1.1.1"
                ],
                "timestamp": "20151109155645"
              },
              "number": "v1.1.1"
            }
          ]
        },
        {
          "affected_range": "\u003c1.1.1",
          "affected_versions": "All versions before 1.1.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-937"
          ],
          "date": "2023-02-17",
          "description": "Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.",
          "fixed_versions": [
            "1.1.1"
          ],
          "identifier": "CVE-2015-5305",
          "identifiers": [
            "GHSA-jp32-vmm6-3vf5",
            "CVE-2015-5305"
          ],
          "not_impacted": "All versions starting from 1.1.1",
          "package_slug": "go/k8s.io/kubernetes",
          "pubdate": "2022-02-15",
          "solution": "Upgrade to version 1.1.1 or above.",
          "title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2015-5305",
            "https://github.com/kubernetes/kubernetes/commit/68f2add9bd5d43b9da1424d87d88f83d120e17d0",
            "https://access.redhat.com/errata/RHSA-2015:1945",
            "https://bugzilla.redhat.com/show_bug.cgi?id=1273969",
            "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5305",
            "https://access.redhat.com/security/cve/CVE-2015-5305",
            "https://github.com/kubernetes/kubernetes/pull/16381",
            "https://github.com/kubernetes/kubernetes/commit/37f730f68c7f06e060f90714439bfb0dbb2df5e7",
            "https://pkg.go.dev/vuln/GO-2022-0701",
            "https://github.com/advisories/GHSA-jp32-vmm6-3vf5"
          ],
          "uuid": "536a8f06-3d57-4817-aa83-3ecf9d88e300"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:openshift:3.0:*:*:*:enterprise:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-5305"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
            },
            {
              "name": "RHSA-2015:1945",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2015:1945"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.4,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2023-02-13T00:53Z",
      "publishedDate": "2015-11-06T18:59Z"
    }
  }
}

RHSA-2015_1945

Vulnerability from csaf_redhat - Published: 2015-10-27 18:41 - Updated: 2024-11-22 09:32

Summary

Red Hat Security Advisory: kubernetes security update

Notes

Topic

Updated kubernetes packages that fix one security issue are now available for Red Hat OpenShift Enterprise 3.0. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the references section.

Details

Kubernetes allows orchestration and control of Docker containers as used in OpenShift Enterprise 3. Kubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal. (CVE-2015-5305) Red Hat would like to thank Jordan Liggitt for discovering and reporting this issue.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated kubernetes packages that fix one security issue are now \navailable for Red Hat OpenShift Enterprise 3.0.\n\nRed Hat Product Security has rated this update as having Moderate \nsecurity impact. A Common Vulnerability Scoring System (CVSS) base \nscore, which gives a detailed severity rating, is available from the \nCVE link in the references section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Kubernetes allows orchestration and control of Docker containers as used in OpenShift Enterprise 3.\n\nKubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal.  (CVE-2015-5305)\n\nRed Hat would like to thank Jordan Liggitt for discovering and \nreporting this issue.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2015:1945",
        "url": "https://access.redhat.com/errata/RHSA-2015:1945"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1273969",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1945.json"
      }
    ],
    "title": "Red Hat Security Advisory: kubernetes security update",
    "tracking": {
      "current_release_date": "2024-11-22T09:32:53+00:00",
      "generator": {
        "date": "2024-11-22T09:32:53+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2015:1945",
      "initial_release_date": "2015-10-27T18:41:38+00:00",
      "revision_history": [
        {
          "date": "2015-10-27T18:41:38+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2015-10-27T18:41:38+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T09:32:53+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenShift Enterprise 3.0",
                "product": {
                  "name": "Red Hat OpenShift Enterprise 3.0",
                  "product_id": "7Server-RH7-RHOSE-3.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:3.0::el7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                "product": {
                  "name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_id": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                "product": {
                  "name": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_id": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-master@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                "product": {
                  "name": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_id": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-sdn-ovs@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                "product": {
                  "name": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_id": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-node@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                "product": {
                  "name": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_id": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-clients@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                "product": {
                  "name": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_id": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tuned-profiles-openshift-node@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
                "product": {
                  "name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
                  "product_id": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift@3.0.2.0-0.git.20.656dc3e.el7ose?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src as a component of Red Hat OpenShift Enterprise 3.0",
          "product_id": "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src"
        },
        "product_reference": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
          "product_id": "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
        },
        "product_reference": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
          "product_id": "7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
        },
        "product_reference": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
          "product_id": "7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
        },
        "product_reference": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
          "product_id": "7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
        },
        "product_reference": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
          "product_id": "7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
        },
        "product_reference": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
          "product_id": "7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
        },
        "product_reference": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Jordan Liggitt"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2015-5305",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2015-10-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1273969"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Kubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Kubernetes: Missing name validation allows path traversal in etcd",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
          "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
          "7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
          "7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
          "7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
          "7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
          "7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-5305"
        },
        {
          "category": "external",
          "summary": "RHBZ#1273969",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-5305",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-5305"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5305",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5305"
        }
      ],
      "release_date": "2015-10-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-10-27T18:41:38+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
            "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:1945"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
            "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Kubernetes: Missing name validation allows path traversal in etcd"
    }
  ]
}

RHSA-2015:1945

Vulnerability from csaf_redhat - Published: 2015-10-27 18:41 - Updated: 2025-11-21 17:53

Summary

Red Hat Security Advisory: kubernetes security update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated kubernetes packages that fix one security issue are now \navailable for Red Hat OpenShift Enterprise 3.0.\n\nRed Hat Product Security has rated this update as having Moderate \nsecurity impact. A Common Vulnerability Scoring System (CVSS) base \nscore, which gives a detailed severity rating, is available from the \nCVE link in the references section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Kubernetes allows orchestration and control of Docker containers as used in OpenShift Enterprise 3.\n\nKubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal.  (CVE-2015-5305)\n\nRed Hat would like to thank Jordan Liggitt for discovering and \nreporting this issue.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2015:1945",
        "url": "https://access.redhat.com/errata/RHSA-2015:1945"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1273969",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1945.json"
      }
    ],
    "title": "Red Hat Security Advisory: kubernetes security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:53:52+00:00",
      "generator": {
        "date": "2025-11-21T17:53:52+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2015:1945",
      "initial_release_date": "2015-10-27T18:41:38+00:00",
      "revision_history": [
        {
          "date": "2015-10-27T18:41:38+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2015-10-27T18:41:38+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:53:52+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenShift Enterprise 3.0",
                "product": {
                  "name": "Red Hat OpenShift Enterprise 3.0",
                  "product_id": "7Server-RH7-RHOSE-3.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:3.0::el7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                "product": {
                  "name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_id": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                "product": {
                  "name": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_id": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-master@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                "product": {
                  "name": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_id": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-sdn-ovs@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                "product": {
                  "name": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_id": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-node@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                "product": {
                  "name": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_id": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-clients@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                "product": {
                  "name": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_id": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tuned-profiles-openshift-node@3.0.2.0-0.git.20.656dc3e.el7ose?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
                "product": {
                  "name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
                  "product_id": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift@3.0.2.0-0.git.20.656dc3e.el7ose?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src as a component of Red Hat OpenShift Enterprise 3.0",
          "product_id": "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src"
        },
        "product_reference": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
          "product_id": "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
        },
        "product_reference": "openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
          "product_id": "7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
        },
        "product_reference": "openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
          "product_id": "7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
        },
        "product_reference": "openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
          "product_id": "7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
        },
        "product_reference": "openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
          "product_id": "7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
        },
        "product_reference": "openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64 as a component of Red Hat OpenShift Enterprise 3.0",
          "product_id": "7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
        },
        "product_reference": "tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Jordan Liggitt"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2015-5305",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2015-10-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1273969"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Kubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Kubernetes: Missing name validation allows path traversal in etcd",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
          "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
          "7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
          "7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
          "7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
          "7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
          "7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-5305"
        },
        {
          "category": "external",
          "summary": "RHBZ#1273969",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-5305",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-5305"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5305",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5305"
        }
      ],
      "release_date": "2015-10-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-10-27T18:41:38+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
            "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:1945"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.src",
            "7Server-RH7-RHOSE-3.0:openshift-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:openshift-clients-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:openshift-master-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:openshift-sdn-ovs-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64",
            "7Server-RH7-RHOSE-3.0:tuned-profiles-openshift-node-0:3.0.2.0-0.git.20.656dc3e.el7ose.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Kubernetes: Missing name validation allows path traversal in etcd"
    }
  ]
}

FKIE_CVE-2015-5305

Vulnerability from fkie_nvd - Published: 2015-11-06 18:59 - Updated: 2025-04-12 10:46

Severity ?

Summary

References

URL	Tags
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2015:1945	Vendor Advisory
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=1273969	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2015:1945	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=1273969	Vendor Advisory

Impacted products

	Vendor	Product	Version
	redhat	openshift	3.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift:3.0:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "45690263-84D9-45A1-8C30-3ED2F0F11F47",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de salto de directorio en Kubernetes, tal como se utiliza en Red Hat OpenShift Enterprise 3.0, permite a atacantes escribir a archivos arbitrarios a trav\u00e9s de un nombre de tipo objeto manipulado, que no es manejado correctamente antes de pasarlo a etcd."
    }
  ],
  "id": "CVE-2015-5305",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.4,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2015-11-06T18:59:00.110",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2015:1945"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2015:1945"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1273969"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2015-5305 (GCVE-0-2015-5305)

CNVD-2015-07466

GHSA-JP32-VMM6-3VF5

GSD-2015-5305

RHSA-2015_1945

RHSA-2015:1945

FKIE_CVE-2015-5305

Tags

Sightings

Nomenclature