Filtered by vendor Kubernetes Subscriptions
Filtered by product Kubernetes Subscriptions
Total 56 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2021-25740 1 Kubernetes 1 Kubernetes 2024-09-16 3.1 Low
A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack.
CVE-2020-8555 3 Fedoraproject, Kubernetes, Redhat 3 Fedora, Kubernetes, Openshift 2024-09-16 6.3 Medium
The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).
CVE-2019-11249 2 Kubernetes, Redhat 3 Kubernetes, Openshift, Openshift Container Platform 2024-09-16 6.5 Medium
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.
CVE-2019-11247 2 Kubernetes, Redhat 3 Kubernetes, Openshift, Openshift Container Platform 2024-09-16 8.1 High
The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.
CVE-2020-8559 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-09-16 6.4 Medium
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
CVE-2020-8564 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-09-16 4.7 Medium
In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13.
CVE-2020-8563 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-09-16 4.7 Medium
In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3.
CVE-2020-8562 1 Kubernetes 1 Kubernetes 2024-09-16 2.2 Low
As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.
CVE-2017-1002100 1 Kubernetes 1 Kubernetes 2024-09-16 N/A
Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to "container" which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal.
CVE-2018-1002100 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-09-16 N/A
In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.
CVE-2023-5528 3 Fedoraproject, Kubernetes, Redhat 3 Fedora, Kubernetes, Openshift 2024-09-06 7.2 High
A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.
CVE-2015-7561 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-08-06 N/A
Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image.
CVE-2015-7528 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-08-06 N/A
Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitrary pod logs via a container name.
CVE-2016-7075 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-08-06 N/A
It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authentication requirements by using a specially crafted X.509 certificate.
CVE-2016-1905 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-08-05 N/A
The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object.
CVE-2016-1906 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-08-05 N/A
Openshift allows remote attackers to gain privileges by updating a build configuration that was created with an allowed type to a type that is not allowed.
CVE-2017-1002101 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-08-05 N/A
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem.
CVE-2017-1002102 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-08-05 N/A
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running.
CVE-2017-1000056 1 Kubernetes 1 Kubernetes 2024-08-05 N/A
Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability to make use of any existing PodSecurityPolicy object.
CVE-2018-1002101 1 Kubernetes 1 Kubernetes 2024-08-05 N/A
In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection.