cvedb.io
CVE-2018-1002105
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2018-12-05T21:29:00.403 · Last modified 2026-06-17T01:33:20.683

Summary

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.

Affected products

kubernetes — kubernetes

Does this affect you?

Add your gear to cvedb and we'll alert you only when kubernetes ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.