x/vulndb: potential Go vuln in k8s.io/minikube: GHSA-6pcv-qqx4-mxm3 #1961

GoVulnBot · 2023-07-22T01:01:32Z

In GitHub Security Advisory GHSA-6pcv-qqx4-mxm3, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
k8s.io/minikube		>= 0.3.0, <= 0.29.0

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: k8s.io/minikube
      versions:
        - introduced: TODO (earliest fixed "", vuln range ">= 0.3.0, <= 0.29.0")
      vulnerable_at: 1.31.1
      packages:
        - package: k8s.io/minikube
summary: Minikube RCE via DNS Rebinding
description: |-
    In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Dashboard
    listening on the VM IP at port 30000. In VM environments where the IP is easy to
    predict, the attacker can use DNS rebinding to indirectly make requests to the
    Kubernetes Dashboard, create a new Kubernetes Deployment running arbitrary code.
    If minikube mount is in use, the attacker could also directly access the host
    filesystem.
cves:
    - CVE-2018-1002103
ghsas:
    - GHSA-6pcv-qqx4-mxm3
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2018-1002103
    - report: https://github.com/kubernetes/minikube/issues/3208
    - advisory: https://github.com/advisories/GHSA-6pcv-qqx4-mxm3

The text was updated successfully, but these errors were encountered:

gopherbot · 2023-07-31T20:50:56Z

Change https://go.dev/cl/514636 mentions this issue: data/excluded: batch add 31 excluded reports

gopherbot · 2024-06-14T17:49:53Z

Change https://go.dev/cl/592762 mentions this issue: data/reports: unexclude 75 reports

gopherbot · 2024-08-20T16:52:34Z

Change https://go.dev/cl/606789 mentions this issue: data/reports: unexclude 20 reports (9)

- data/reports/GO-2023-1955.yaml - data/reports/GO-2023-1956.yaml - data/reports/GO-2023-1957.yaml - data/reports/GO-2023-1959.yaml - data/reports/GO-2023-1961.yaml - data/reports/GO-2023-1962.yaml - data/reports/GO-2023-1965.yaml - data/reports/GO-2023-1971.yaml - data/reports/GO-2023-1972.yaml - data/reports/GO-2023-1973.yaml - data/reports/GO-2023-1977.yaml - data/reports/GO-2023-1979.yaml - data/reports/GO-2023-1980.yaml - data/reports/GO-2023-1982.yaml - data/reports/GO-2023-1985.yaml - data/reports/GO-2023-1986.yaml - data/reports/GO-2023-1991.yaml - data/reports/GO-2023-1993.yaml - data/reports/GO-2023-1995.yaml - data/reports/GO-2023-1996.yaml Updates #1955 Updates #1956 Updates #1957 Updates #1959 Updates #1961 Updates #1962 Updates #1965 Updates #1971 Updates #1972 Updates #1973 Updates #1977 Updates #1979 Updates #1980 Updates #1982 Updates #1985 Updates #1986 Updates #1991 Updates #1993 Updates #1995 Updates #1996 Change-Id: I681627cba89cee6d3bc2def3924c65a3b5da4453 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606789 Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

neild self-assigned this Jul 31, 2023

neild added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Jul 31, 2023

gopherbot closed this as completed in 2439098 Jul 31, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in k8s.io/minikube: GHSA-6pcv-qqx4-mxm3 #1961

x/vulndb: potential Go vuln in k8s.io/minikube: GHSA-6pcv-qqx4-mxm3 #1961

GoVulnBot commented Jul 22, 2023

gopherbot commented Jul 31, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024

x/vulndb: potential Go vuln in k8s.io/minikube: GHSA-6pcv-qqx4-mxm3 #1961

x/vulndb: potential Go vuln in k8s.io/minikube: GHSA-6pcv-qqx4-mxm3 #1961

Comments

GoVulnBot commented Jul 22, 2023

gopherbot commented Jul 31, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024