Filtered by vendor Kubernetes
Subscribe
Total
92 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3162 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | N/A | 6.5 MEDIUM |
| Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group. | |||||
| CVE-2022-2995 | 1 Kubernetes | 1 Cri-o | 2024-11-21 | N/A | 7.1 HIGH |
| Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container. | |||||
| CVE-2022-2385 | 1 Kubernetes | 1 Aws-iam-authenticator | 2024-11-21 | 6.0 MEDIUM | 8.1 HIGH |
| A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges. | |||||
| CVE-2022-27652 | 4 Fedoraproject, Kubernetes, Mobyproject and 1 more | 4 Fedora, Cri-o, Moby and 1 more | 2024-11-21 | 4.6 MEDIUM | 5.3 MEDIUM |
| A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. | |||||
| CVE-2022-1708 | 3 Fedoraproject, Kubernetes, Redhat | 4 Fedora, Cri-o, Enterprise Linux and 1 more | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability. | |||||
| CVE-2022-0811 | 1 Kubernetes | 1 Cri-o | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| A flaw was found in CRI-O in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime to achieve a container escape and arbitrary code execution as root on the cluster node, where the malicious pod was deployed. | |||||
| CVE-2022-0532 | 2 Kubernetes, Redhat | 2 Cri-o, Openshift Container Platform | 2024-11-21 | 4.9 MEDIUM | 4.2 MEDIUM |
| An incorrect sysctls validation vulnerability was found in CRI-O 1.18 and earlier. The sysctls from the list of "safe" sysctls specified for the cluster will be applied to the host if an attacker is able to create a pod with a hostIPC and hostNetwork kernel namespace. | |||||
| CVE-2021-25749 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | N/A | 7.8 HIGH |
| Windows workloads can run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true. | |||||
| CVE-2021-25748 | 1 Kubernetes | 1 Ingress-nginx | 2024-11-21 | N/A | 7.6 HIGH |
| A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. | |||||
| CVE-2021-25746 | 1 Kubernetes | 1 Ingress-nginx | 2024-11-21 | 5.5 MEDIUM | 7.6 HIGH |
| A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. | |||||
| CVE-2021-25745 | 1 Kubernetes | 1 Ingress-nginx | 2024-11-21 | 5.5 MEDIUM | 7.6 HIGH |
| A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. | |||||
| CVE-2021-25743 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | 2.1 LOW | 3.0 LOW |
| kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events. | |||||
| CVE-2021-25742 | 2 Kubernetes, Netapp | 2 Ingress-nginx, Trident | 2024-11-21 | 5.5 MEDIUM | 7.6 HIGH |
| A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. | |||||
| CVE-2021-25741 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | 5.5 MEDIUM | 8.8 HIGH |
| A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. | |||||
| CVE-2021-25740 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | 3.5 LOW | 3.1 LOW |
| A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack. | |||||
| CVE-2021-25738 | 1 Kubernetes | 1 Java | 2024-11-21 | 4.6 MEDIUM | 6.7 MEDIUM |
| Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution. | |||||
| CVE-2021-25737 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | 4.9 MEDIUM | 2.7 LOW |
| A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs. | |||||
| CVE-2021-25735 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields. | |||||
| CVE-2020-8570 | 1 Kubernetes | 1 Java | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code. | |||||
| CVE-2020-8569 | 1 Kubernetes | 1 Container Storage Interface Snapshotter | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, is automatically restarted by Kubernetes, and processes the same VolumeSnapshot custom resource after the restart, entering an endless crashloop. Only the volume snapshot feature is affected by this vulnerability. When exploited, users can’t take snapshots of their volumes or delete the snapshots. All other Kubernetes functionality is not affected. | |||||