Debian Kubernetes vulnerabilities

CVE-2021-25741 [HIGH] CVE-2021-25741: kubernetes - A security issue was discovered in Kubernetes where a user may be able to create... A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. Scope: local bookworm: resolved (fixed in 1.20.5+really1.20.2-1) bullseye: resolved (fixed in 1.20.5+really1.20.2-1) forky: resolved (fixed in 1.20.5+really1.

CVE-2021-25735 [MEDIUM] CVE-2021-25735: kubernetes - A security issue was discovered in kube-apiserver that could allow node updates ... A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some prev

CVE-2021-25743 [LOW] CVE-2021-25743: kubernetes - kubectl does not neutralize escape, meta or control sequences contained in the r... kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events. Scope: local bookworm: resolved (fixed in 1.20.5+really1.20.2-1.1) bullseye: open forky: resolved (fixed in 1.31.4+ds-1) sid: resolved (fixed in 1.31.4+ds-1)

CVE-2021-25749 [HIGH] CVE-2021-25749: kubernetes - Windows workloads can run as ContainerAdministrator even when those workloads se... Windows workloads can run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2021-25736 [MEDIUM] CVE-2021-25736: kubernetes - Kube-proxy on Windows can unintentionally forward traffic to local processes l... Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].port”) as a LoadBalancer Service when the LoadBalancer controller does not set the “status.loadBalancer.ingress[].ip” field. Clusters where the LoadBalancer controller sets the “status.loadBalancer.ingress[].ip” field are unaffected. Scope: lo

CVE-2021-25740 [LOW] CVE-2021-25740: kubernetes - A security issue was discovered with Kubernetes that could enable users to send ... A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack. Scope: local bookworm: resolved (fixed in 1.20.5+really1.20.2-1) bullseye: resolved (fixed in 1.20.5+really1.20.2-1) forky: resolved (fixed in 1.20.5+really1.20.2-1) sid: resolved (fixed

CVE-2021-25737 [LOW] CVE-2021-25737: kubernetes - A security issue was discovered in Kubernetes where a user may be able to redire... A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs. Scope: local bookworm: resolved (fixed in 1.20.5+really1.20.2-1) bullseye: resolved (

CVE-2020-8559 [MEDIUM] CVE-2020-8559: kubernetes - The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.1... The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise. Scope: local bookworm: resolved (fixed in 1.18.5-1) bullseye: resolved (fixed in 1.1

CVE-2020-8558 [MEDIUM] CVE-2020-8558: kubernetes - The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, ... The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, b

CVE-2020-8561 [MEDIUM] CVE-2020-8561: kubernetes - A security issue was discovered in Kubernetes where actors that control the resp... A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and hea

CVE-2020-8551 [MEDIUM] CVE-2020-8551: kubernetes - The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.... The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250. Scope: local bookworm: resolved (fixed in 1.17.4-1) bul

CVE-2020-8565 [MEDIUM] CVE-2020-8565: kubernetes - In Kubernetes, if the logging level is set to at least 9, authorization and bear... In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2. Scope: local bookworm: resolved (fixed in 1.20.0-1) bullseye: resolved (fixed in 1.20.0-1) forky: re

CVE-2020-8557 [MEDIUM] CVE-2020-8557: kubernetes - The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18... The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /e

CVE-2020-8562 [MEDIUM] CVE-2020-8562: kubernetes - As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to p... As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in

CVE-2020-8555 [MEDIUM] CVE-2020-8555: kubernetes - The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to ... The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback serv

CVE-2020-8566 [MEDIUM] CVE-2020-8566: kubernetes - In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging lev... In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, < v1.17.13. Scope: local bookworm: resolved (fixed in 1.19.3-1) bullseye: resolved (fix

CVE-2020-8564 [MEDIUM] CVE-2020-8564: kubernetes - In Kubernetes clusters using a logging level of at least 4, processing a malform... In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13. Scope: local bookworm: resolved (fixed in 1.19.3-1) bullseye: resolved (fixed in 1.19

CVE-2020-8552 [MEDIUM] CVE-2020-8552: kubernetes - The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, ... The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests. Scope: local bookworm: resolved (fixed in 1.17.4-1) bullseye: resolved (fixed in 1.17.4-1) forky: resolved (fixed in 1.17.4-1) sid: resolved (fixed in 1.17.4-1) trixie: resolve

CVE-2020-8563 [MEDIUM] CVE-2020-8563: kubernetes - In Kubernetes clusters using VSphere as a cloud provider, with a logging level s... In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2020-8554 [MEDIUM] CVE-2020-8554: kubernetes - Kubernetes API server in all versions allow an attacker who is able to create a ... Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the stat