A new high-severity Kubernetes vulnerability has been discovered, according to security announcement on Securelists.org. As part of the ongoing Kubernetes security audit sponsored by the Cloud Native Computing Foundation, the Kubernetes product security team announced a new high-severity vulnerability (CVE-2019-11246) that impacts kubectl, the command line interface used to run commands against Kubernetes clusters. “Another security issue was discovered with the Kubernetes kubectl cp command that could enable a directory traversal such that a malicious container could replace or create files on a user’s workstation. This vulnerability is concerning because it would allow an attacker to overwrite sensitive file paths or add files that are malicious programs, which could then be leveraged to compromise significant portions of Kubernetes environments,” said Wei Lien Dang, co-founder and vice president of product at StackRox. Because upgrades depend on the actions of individuals users, the fix can be harder to enforce, and Dang expects that this will not be the only vulnerability disclosed as a result of the security audit.