CVE-2017-1002102
MEDIUM5.6EPSS 0.27%Kubernetes can trigger deletion of arbitrary files from the nodes where containers are running in k8s.io/kubernetes
Published: 5/13/2022Modified: 4/28/2026
Description
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running.
Affected packages (3)
- Debian/kubernetesfrom 0, < 1.7.16+dfsg-1
- Go/k8s.io/kubernetes>= 1.3.0, < 1.7.14
- Go/k8s.io/kubernetes>= 1.3.0, < 1.7.14, >= 1.8.0, < 1.8.9, >= 1.9.0, < 1.9.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.6 | CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N |
References (6)
- ADVISORYhttps://github.com/advisories/GHSA-mm7g-f2gg-cw8g
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-1002102
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-1002102
- PATCHhttps://github.com/kubernetes/kubernetes
- WEBhttps://access.redhat.com/errata/RHSA-2018:0475
- WEBhttps://github.com/kubernetes/kubernetes/issues/60814