Filtered by vendor Kubernetes
Subscribe
Total
93 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-18264 | 1 Kubernetes | 1 Dashboard | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster. | |||||
| CVE-2018-1002105 | 3 Kubernetes, Netapp, Redhat | 3 Kubernetes, Trident, Openshift Container Platform | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection. | |||||
| CVE-2018-1002104 | 1 Kubernetes | 1 Nginx Ingress Controller | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly. | |||||
| CVE-2018-1002103 | 1 Kubernetes | 1 Minikube | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000. In VM environments where the IP is easy to predict, the attacker can use DNS rebinding to indirectly make requests to the Kubernetes Dashboard, create a new Kubernetes Deployment running arbitrary code. If minikube mount is in use, the attacker could also directly access the host filesystem. | |||||
| CVE-2018-1002102 | 2 Fedoraproject, Kubernetes | 2 Fedora, Kubernetes | 2024-11-21 | 2.1 LOW | 2.6 LOW |
| Improper validation of URL redirection in the Kubernetes API server in versions prior to v1.14.0 allows an attacker-controlled Kubelet to redirect API server requests from streaming endpoints to arbitrary hosts. Impacted API servers will follow the redirect as a GET request with client-certificate credentials for authenticating to the Kubelet. | |||||
| CVE-2018-1002101 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | 7.5 HIGH | 5.9 MEDIUM |
| In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection. | |||||
| CVE-2018-1002100 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | 3.6 LOW | 4.2 MEDIUM |
| In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files. | |||||
| CVE-2018-1000400 | 1 Kubernetes | 1 Cri-o | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Kubernetes CRI-O version prior to 1.9 contains a Privilege Context Switching Error (CWE-270) vulnerability in the handling of ambient capabilities that can result in containers running with elevated privileges, allowing users abilities they should not have. This attack appears to be exploitable via container execution. This vulnerability appears to have been fixed in 1.9. | |||||
| CVE-2017-1002102 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | 6.3 MEDIUM | 7.1 HIGH |
| In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running. | |||||
| CVE-2017-1002101 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | 5.5 MEDIUM | 8.8 HIGH |
| In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem. | |||||
| CVE-2016-7075 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift | 2024-11-21 | 6.8 MEDIUM | 7.5 HIGH |
| It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authentication requirements by using a specially crafted X.509 certificate. | |||||
| CVE-2024-9486 | 1 Kubernetes | 1 Image Builder | 2024-11-08 | N/A | 9.8 CRITICAL |
| A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider. | |||||
| CVE-2024-9594 | 1 Kubernetes | 1 Image Builder | 2024-11-08 | N/A | 6.3 MEDIUM |
| A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The credentials are disabled at the conclusion of the image build process. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project. Because these images were vulnerable during the image build process, they are affected only if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring. | |||||