VDB
KO
MEDIUM 5.8

GHSA-jxr7-mqhw-9p98

K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression

Details

#### Summary

A path traversal vulnerability exists in K3s's etcd snapshot decompression functionality. Zip files containing archive members with maliciously crafted names (e.g., `../../../../etc/password`) can be written to arbitrary locations on the filesystem when an administrator restores the archive as a compressed etcd snapshot.

#### Mitigations

* Enable golang's built-in [insecure path protections](https://pkg.go.dev/archive/zip#NewReader) when restoring snapshots by setting the`GODEBUG` environment variable: ```bash GODEBUG=zipinsecurepath=0 k3s server --cluster-reset --cluster-reset-restore-path=/path/to/snapshot.zip ``` * Manually extract the snapshot from the zip archive before restoring it. If the snapshot to be restored does not end with `.zip`, the vulnerable extraction code will not be executed.

#### Additional Notes

Administrators should be aware of the cautions noted in the "Security" section of the documentation on [Restoring Snapshots](https://docs.k3s.io/cli/etcd-snapshot#security).

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/k3s-io/k3s
Introduced in: 1.35.0-rc1 Fixed in: 1.35.3
Fix go get github.com/k3s-io/k3s@v1.35.3
Go / github.com/k3s-io/k3s
Introduced in: 1.34.0-rc1 Fixed in: 1.34.6
Fix go get github.com/k3s-io/k3s@v1.34.6
Go / github.com/k3s-io/k3s
Introduced in: 0 Fixed in: 1.33.10
Fix go get github.com/k3s-io/k3s@v1.33.10

References