{"id":"CVE-2019-11251","details":"The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.","aliases":["GHSA-6qfg-8799-r575","GO-2022-0802"],"modified":"2026-04-11T12:10:14.820869Z","published":"2020-02-03T16:15:11.140Z","related":["openSUSE-SU-2025:15424-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"1.1-1.12"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:kubernetes:kubernetes:1.1-1.12:*:*:*:*:*:*:*"}]},"references":[{"type":"ADVISORY","url":"https://github.com/kubernetes/kubernetes/issues/87773"},{"type":"ADVISORY","url":"https://groups.google.com/d/msg/kubernetes-announce/YYtEFdFimZ4/nZnOezZuBgAJ"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kubernetes/kubernetes","events":[{"introduced":"ddf47ac13c1a9483ea035a79cd7c10005ff21a6d"},{"fixed":"25074a190ef2a07d8b0ed38734f2cb373edfb868"},{"introduced":"641856db18352033a0d96dbc99153fa3b27298e5"},{"fixed":"8fca2ec50a6133511b771a11559e24191b1aa2b4"},{"introduced":"e8462b5b5dc2584fdcd18e6bcfe9f1e4d970a529"},{"fixed":"67d2fcf276fcd9cf743ad4be9a9ef5828adc082f"}],"database_specific":{"extracted_events":[{"introduced":"1.13.0"},{"fixed":"1.13.11"},{"introduced":"1.14.0"},{"fixed":"1.14.7"},{"introduced":"1.15.0"},{"fixed":"1.15.4"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*"}}],"versions":["v1.13.0","v1.13.1","v1.13.1-beta.0","v1.13.10","v1.13.10-beta.0","v1.13.11-beta.0","v1.13.2","v1.13.2-beta.0","v1.13.3","v1.13.3-beta.0","v1.13.4","v1.13.4-beta.0","v1.13.5","v1.13.5-beta.0","v1.13.6","v1.13.6-beta.0","v1.13.7","v1.13.7-beta.0","v1.13.8","v1.13.8-beta.0","v1.13.9","v1.13.9-beta.0","v1.14.0","v1.14.1","v1.14.1-beta.0","v1.14.2","v1.14.2-beta.0","v1.14.3","v1.14.3-beta.0","v1.14.4","v1.14.4-beta.0","v1.14.5","v1.14.5-beta.0","v1.14.6","v1.14.6-beta.0","v1.14.7-beta.0","v1.15.0","v1.15.1","v1.15.1-beta.0","v1.15.2","v1.15.2-beta.0","v1.15.3","v1.15.3-beta.0","v1.15.4-beta.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11251.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"}]}