In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by `--cache-dir` (defaulting to `$HOME/.kube/http-cache`), written with world-writeable permissions (`rw-rw-rw-`). If `--cache-dir` is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.

Affected Packages

Go k8s.io/client-go

Affected versions: 1.8.0 (fixed in 1.12.9)

Related CVEs

CVE-2019-11244

Key Information

GHSA ID

GHSA-2575-pghm-6qqx

Published

February 15, 2022 1:57 AM

Last Modified

September 18, 2023 8:18 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

k8s.io/client-go

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 26, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.