CVE-2018-1002105 — Vulnetix

Try Vulnetix Request Demo

CVE-2018-1002105 REJECTED

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.

EPSS 90.70% · 99.6th percentile

Risk Scores

EPSS Score

90.70%

99.6th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:20.04:LTS	kubernetes	0, 1.0
Ubuntu:22.04:LTS	kubernetes	0, 1.0
Ubuntu:24.04:LTS	kubernetes	0, 1.0

Timeline

Dec 5, 2018 CVE Published
Dec 7, 2018 PoC Published
Dec 24, 2018 PoC Published
Apr 14, 2021 EPSS Score
Mar 7, 2023 EPSS Score
Mar 31, 2023 EPSS Score
May 8, 2023 EPSS Score
Aug 2, 2023 EPSS Score
Oct 27, 2023 EPSS Score
Nov 14, 2023 EPSS Score
Nov 29, 2023 EPSS Score
Jan 3, 2024 EPSS Score

References

https://ubuntu.com/security/CVE-2018-1002105 third-party-advisory
https://groups.google.com/forum/#!topic/kubernetes-announce/GVllWCg6L88 third-party-advisory
https://github.com/kubernetes/kubernetes/issues/71411 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2018-1002105 third-party-advisory

Open in Interactive Console →