K8S.Io Kubernetes vulnerabilities

CVE-2023-3676 [HIGH] CWE-20 Kubernetes privilege escalation vulnerability Kubernetes privilege escalation vulnerability A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

CVE-2021-25736 [MEDIUM] Kube-proxy may unintentionally forward traffic Kube-proxy may unintentionally forward traffic Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (`spec.ports[*].port`) as a LoadBalancer Service when the LoadBalancer controller does not set the `status.loadBalancer.ingress[].ip` field. Clusters where the LoadBalancer controller sets the `status.loadBalancer.ingress[].ip` field are unaffected.

CVE-2023-2727 [MEDIUM] CWE-20 kube-apiserver vulnerable to policy bypass kube-apiserver vulnerable to policy bypass Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.

CVE-2023-2728 [MEDIUM] CWE-20 Kubernetes mountable secrets policy bypass Kubernetes mountable secrets policy bypass Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kube

CVE-2023-2431 [MEDIUM] CWE-1287 Kubelet vulnerable to bypass of seccomp profile enforcement Kubelet vulnerable to bypass of seccomp profile enforcement A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.

CVE-2020-8565 [MEDIUM] CWE-532 Kubernetes client-go vulnerable to Sensitive Information Leak via Log File Kubernetes client-go vulnerable to Sensitive Information Leak via Log File In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.5, <= v1.18.13, <= v1.17.15, < v1.20.0-alpha2.

CVE-2020-8564 [MEDIUM] CWE-532 Kubernetes Sensitive Information leak via Log File Kubernetes Sensitive Information leak via Log File In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13.

CVE-2019-11243 [HIGH] CWE-212 Kubernetes did not effectively clear service account credentials Kubernetes did not effectively clear service account credentials In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using re

CVE-2019-11250 [MEDIUM] CWE-532 Kubernetes client-go library logs may disclose credentials to unauthorized users Kubernetes client-go library logs may disclose credentials to unauthorized users The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at hig

CVE-2018-1002100 [MEDIUM] CWE-20 Kubernetes arbitrary file overwrite Kubernetes arbitrary file overwrite In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.

CVE-2019-1002100 [MEDIUM] CWE-770 Kubernetes DoS Vulnerability Kubernetes DoS Vulnerability In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server.

CVE-2017-1002102 [MEDIUM] CWE-284 Kubernetes arbitrary file overwrite Kubernetes arbitrary file overwrite In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running.

CVE-2015-7561 [LOW] Kubernetes in OpenShift3 Access Control Misconfiguration Kubernetes in OpenShift3 Access Control Misconfiguration Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image.

CVE-2020-8558 [HIGH] CWE-420 Improper Authentication in Kubernetes Improper Authentication in Kubernetes A security issue was discovered in the Kubelet and kube-proxy components of Kubernetes which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. For example, if a cluster administrator runs a TCP service on a node that listens on 127.0.0.1:1234, because of this bug, that service would be potentially reachable by other

CVE-2018-1002101 [MEDIUM] CWE-78 Kubernetes Arbitrary Command Injection Kubernetes Arbitrary Command Injection In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection. ### Specific Go Packages Affected k8s.io/kubernetes/pkg/util/mount

CVE-2015-5305 [MEDIUM] CWE-22 Directory Traversal in Kubernetes Directory Traversal in Kubernetes Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.

CVE-2020-8555 [MEDIUM] CWE-918 Server Side Request Forgery (SSRF) in Kubernetes Server Side Request Forgery (SSRF) in Kubernetes The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services)

CVE-2019-1002101 [MEDIUM] CWE-59 Symlink Attack in kubectl cp Symlink Attack in kubectl cp The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on

CVE-2020-8551 [MEDIUM] CWE-770 Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authentica

CVE-2020-8554 [MEDIUM] CWE-283 Unverified Ownership in Kubernetes Unverified Ownership in Kubernetes Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to sim