CVE-2018-1002105

CRITICAL

Kubernetes < 1.10.11, < 1.11.5, < 1.12.3 - Server-Side Request Forgery via Proxy Error Handling

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 8 public exploits for CVE-2018-1002105. PoCs published by evict, gravitational, imlzw.

AI-analyzed exploit summary This Python script exploits CVE-2018-1002105, an unauthenticated API access vulnerability in Kubernetes. It sends crafted HTTP requests in two stages to bypass authentication and access restricted API endpoints, potentially leading to information disclosure or further exploitation.

Description

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.

Exploits (8)

exploitdb WORKING POC
by evict · pythonremotemultiple
https://www.exploit-db.com/exploits/46052

This Python script exploits CVE-2018-1002105, an unauthenticated API access vulnerability in Kubernetes. It sends crafted HTTP requests in two stages to bypass authentication and access restricted API endpoints, potentially leading to information disclosure or further exploitation.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Kubernetes (specific versions affected by CVE-2018-1002105)
No auth needed
Prerequisites: Network access to the Kubernetes API server · Kubernetes API server exposed and vulnerable to CVE-2018-1002105
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC
by evict · pythonremotemultiple
https://www.exploit-db.com/exploits/46053

This Python script exploits CVE-2018-1002105, a vulnerability in Kubernetes that allows privilege escalation via improper handling of JWT tokens. It performs a two-stage attack to execute commands on a privileged pod by leveraging access to a less privileged pod.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kubernetes (versions affected by CVE-2018-1002105)
Auth required
Prerequisites: Valid JWT token for a service account · Access to a pod with method access (exec/portforward/attach) · Network access to the Kubernetes API server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 222 stars
by evict · poc
https://github.com/evict/poc_CVE-2018-1002105

This repository contains a proof-of-concept exploit for CVE-2018-1002105, a Kubernetes API server vulnerability. It includes both authenticated and unauthenticated PoCs for privilege escalation and remote code execution via pod exec/attach/portforward methods.

Classification
Working Poc 95%
Attack Type
Rce | Lpe | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Kubernetes API Server (versions affected by CVE-2018-1002105)
Auth required
Prerequisites: Network access to Kubernetes API server · Valid JWT token for authenticated PoC · Pod exec/attach/portforward permissions
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 195 stars
by gravitational · poc
https://github.com/gravitational/cve-2018-1002105

This repository contains a scanner tool to detect CVE-2018-1002105, a Kubernetes API server vulnerability related to WebSocket upgrade security. It checks for unauthenticated access and privilege escalation indicators.

Classification
Scanner 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Kubernetes API Server (versions affected by CVE-2018-1002105)
No auth needed
Prerequisites: Access to Kubernetes API server · Kubeconfig file or unauthenticated access
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 4 stars
by imlzw · poc
https://github.com/imlzw/Kubernetes-1.12.3-all-auto-install

This repository provides a set of scripts for automating the installation of Kubernetes 1.12.3 with Dashboard 1.8.3 on CentOS 7, specifically configured to avoid CVE-2018-1002105. It includes scripts for master node initialization, node joining, and additional component installations like Harbor and NGINX Ingress Controller.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Kubernetes 1.12.3
No auth needed
Prerequisites: CentOS 7.x environment with internet access · root user privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →
gitlab WORKING POC 1 stars
by ashleyjohnson · poc
https://gitlab.com/ashleyjohnson/poc_CVE-2018-1002105

This repository contains a functional proof-of-concept exploit for CVE-2018-1002105, which targets Kubernetes API servers. The exploit leverages pod exec privileges to dump secrets from the etcd database by establishing a connection to the API server and executing crafted requests.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kubernetes API Server (versions affected by CVE-2018-1002105)
Auth required
Prerequisites: create and get privileges on pods and pods/exec · JWT token for service account · namespace with exec access · target pod with exec access
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC 1 stars
by sh-ubh · poc
https://github.com/sh-ubh/CVE-2018-1002105

This PoC exploits CVE-2018-1002105, a Kubernetes API server vulnerability allowing unauthorized access to admin-level API endpoints. It demonstrates command execution via upgraded connections (exec/attach/portforward) using a valid JWT token.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kubernetes API Server (versions 1.0.x-1.9.x, 1.10.0-1.10.10, 1.11.0-1.11.4, 1.12.0-1.12.2)
Auth required
Prerequisites: Valid JWT token · Access to Kubernetes API server · Pod with method access
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by bgeesaman · poc
https://github.com/bgeesaman/cve-2018-1002105

This repository contains a Go-based PoC for CVE-2018-1002105, a Kubernetes API server vulnerability allowing privilege escalation via websocket upgrade security flaws. The PoC tests for unauthenticated access and privilege escalation by executing commands in a pod.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Kubernetes API Server (versions affected by CVE-2018-1002105)
No auth needed
Prerequisites: Access to Kubernetes API server · Network connectivity to the cluster
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (20)

Core 20
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46053/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3549
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3752
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46052/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3624
Issue Tracking, Mitigation, Patch, Third Party Advisory x_refsource_confirm
https://github.com/kubernetes/kubernetes/issues/71411
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3742
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3754
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3537
Exploit, Third Party Advisory x_refsource_misc
https://github.com/evict/poc_CVE-2018-1002105
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3598
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3551
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/106068
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190416-0001/
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/06/28/2
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/07/06/3
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/07/06/4

Scores

CVSS v3 9.8
EPSS 0.9010
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-388
Status published
Products (12)
kubernetes/kubernetes 1.9.12 beta0
kubernetes/kubernetes 0 - 1.10.11Go
kubernetes/kubernetes 1.0.0 - 1.9.11
netapp/trident
redhat/openshift_container_platform 3.2
redhat/openshift_container_platform 3.3
redhat/openshift_container_platform 3.4
redhat/openshift_container_platform 3.5
redhat/openshift_container_platform 3.6
redhat/openshift_container_platform 3.8
... and 2 more
Published Dec 05, 2018
Tracked Since Feb 18, 2026