Github.Com Kubernetes Kubernetes vulnerabilities

CVE-2020-8563 [MEDIUM] CWE-532 Sensitive Information leak via Log File in Kubernetes Sensitive Information leak via Log File in Kubernetes In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3.

CVE-2020-8566 [MEDIUM] CWE-532 Sensitive Information leak via Log File in Kubernetes Sensitive Information leak via Log File in Kubernetes In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, < v1.17.13.

CVE-2022-3294 [HIGH] CWE-20 Kubernetes vulnerable to validation bypass Kubernetes vulnerable to validation bypass Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes alre

CVE-2022-3162 [MEDIUM] CWE-22 Kubernetes vulnerable to path traversal Kubernetes vulnerable to path traversal Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of

CVE-2020-8564 [MEDIUM] CWE-532 Kubernetes Sensitive Information leak via Log File Kubernetes Sensitive Information leak via Log File In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13.

CVE-2015-7528 [MEDIUM] CWE-200 Information Exposure in Kubernetes Information Exposure in Kubernetes Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitrary pod logs via a container name.

CVE-2018-1002105 [CRITICAL] CWE-269 Privilege Escalation in Kubernetes Privilege Escalation in Kubernetes In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API serve

CVE-2016-1905 [HIGH] CWE-284 Access Restriction Bypass in kubernetes Access Restriction Bypass in kubernetes The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object. ### Specific Go Packages Affected github.com/kubernetes/kubernetes/pkg/apiserver

CVE-2015-5305 [MEDIUM] CWE-22 Directory Traversal in Kubernetes Directory Traversal in Kubernetes Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.