CVE-2019-11251: 
Red Hat Enterprise Linux CoreOS (RHCOS) vulnerability analysis and mitigation

CVE-2019-11251 is a security vulnerability discovered in the Kubernetes kubectl cp command affecting versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4. The vulnerability allows attackers to exploit a combination of two symlinks provided by tar output of a malicious container to place files outside of the destination directory specified in the kubectl cp invocation (NVD, Kubernetes Announce).

The vulnerability is similar to previous issues CVE-2019-1002101 and CVE-2019-11246, involving the kubectl cp command's handling of symlinks. The vulnerability has a CVSS v3.1 base score of 5.7 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N. The issue stems from improper handling of symlink resolution during file copying operations, which could allow an attacker to manipulate file placement outside the intended destination tree (NVD).

If exploited, this vulnerability allows attackers to place malicious files outside of the intended destination directory through symlink manipulation. This could potentially lead to unauthorized file placement anywhere in the system where the kubectl command has write permissions (Kubernetes Issue).

Two fixes were implemented to address this vulnerability. For version 1.16.0, symlink support was completely removed from kubectl cp, with users recommended to use a combination of exec+tar instead. For versions 1.15.4, 1.14.7, and 1.13.11, the kubectl cp un-tar symlink logic was modified to unpack symlinks after regular files, preventing file writes through symlinks. Users are encouraged to upgrade to these patched versions (Kubernetes Issue).