Debian Kubernetes vulnerabilities

CVE-2025-0426 [MEDIUM] CVE-2025-0426: kubernetes - A security issue was discovered in Kubernetes where a large number of container ... A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk. Scope: local bookworm: resolved (fixed in 1.20.5+really1.20.2-1) bullseye: resolved (fixed in 1.20.5+really1.20.2-1) forky: resolved (fixed in

CVE-2025-1767 [MEDIUM] CVE-2025-1767: kubernetes - This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volum... This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable. Scope: local bookworm: resolved (fixed in 1.20.5+real

CVE-2025-5187 [MEDIUM] CVE-2025-5187: kubernetes - A vulnerability exists in the NodeRestriction admission controller in Kubernetes... A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection. Sco

CVE-2025-13281 [MEDIUM] CVE-2025-13281: kubernetes - A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-con... A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services). Scope: local bookworm: resolved (fixed i

CVE-2025-4563 [LOW] CVE-2025-4563: kubernetes - A vulnerability exists in the NodeRestriction admission controller where nodes c... A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compro

CVE-2024-10220 [HIGH] CVE-2024-10220: kubernetes - The Kubernetes kubelet component allows arbitrary command execution via speciall... The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2. Scope: local bookworm: resolved (fixed in 1.20.5+really1.20.2-1) bullseye: resolved (fixed in 1.20.5+really1.20.2-1) forky: resolved (fixed in 1.20.5+really1.

CVE-2024-7598 [LOW] CVE-2024-7598: kubernetes - A security issue was discovered in Kubernetes where a malicious or compromised p... A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for network policies to be deleted before the pods that they protect. This can lead to a bri

CVE-2024-9042 [MEDIUM] CVE-2024-9042: kubernetes - This CVE affects only Windows worker nodes. Your worker node is vulnerable to th... This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2024-5321 [MEDIUM] CVE-2024-5321: kubernetes - A security issue was discovered in Kubernetes clusters with Windows nodes where ... A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and NT AUTHORITY\Authenticated Users may be able to modify container logs. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2024-3177 [LOW] CVE-2024-3177: kubernetes - A security issue was discovered in Kubernetes where users may be able to launch ... A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specifi

CVE-2023-3955 [HIGH] CVE-2023-3955: kubernetes - A security issue was discovered in Kubernetes where a user that can create pods... A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes. Scope: local bookworm: resolved (fixed in 1.20.5+really1.20.2-1) bullseye: resolved (fixed in 1.20.5+really1.20.2-1) forky: resolved (fixed i

CVE-2023-3676 [HIGH] CVE-2023-3676: kubernetes - A security issue was discovered in Kubernetes where a user that can create pods... A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes. Scope: local bookworm: resolved (fixed in 1.20.5+really1.20.2-1) bullseye: resolved (fixed in 1.20.5+really1.20.2-1) forky: resolved (fixed i

CVE-2023-3893 [HIGH] CVE-2023-3893: kubernetes - A security issue was discovered in Kubernetes where a user that can create pods... A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes running kubernetes-csi-proxy may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes running kubernetes-csi-proxy. Scope: local bookworm: resolved (fixed in 1.20.5+really1.20.2-1) bullseye: resolved

CVE-2023-2727 [MEDIUM] CVE-2023-2727: kubernetes - Users may be able to launch containers using images that are restricted by Image... Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. Scope: local bookworm: resolved (fixed in 1.20.5+really1.20.2-1) bullseye: resolved (fixed in 1.20.5+really1.20.2

CVE-2023-2728 [MEDIUM] CVE-2023-2728: kubernetes - Users may be able to launch containers that bypass the mountable secrets policy ... Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission pl

CVE-2023-5528 [HIGH] CVE-2023-5528: kubernetes - A security issue was discovered in Kubernetes where a user that can create pods ... A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixi

CVE-2023-2431 [LOW] CVE-2023-2431: kubernetes - A security issue was discovered in Kubelet that allows pods to bypass the seccom... A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet. Scope: local bookworm: resol

CVE-2022-3294 [MEDIUM] CVE-2022-3294: kubernetes - Users may have access to secure endpoints in the control plane network. Kubernet... Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. W

CVE-2022-3162 [MEDIUM] CVE-2022-3162: kubernetes - Users authorized to list or watch one type of namespaced custom resource cluster... Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch

CVE-2022-3172 [MEDIUM] CVE-2022-3172: kubernetes - A security issue was discovered in kube-apiserver that allows an aggregated API... A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This could lead to the client performing unexpected actions as well as forwarding the client's API server credentials to third parties. Scope: local bookworm: resolved (fixed in 1.20.5+really1.20.2-1) bullseye: resolved (fixed in 1.20.5+re