K8S.Io Kubernetes vulnerabilities
50 known vulnerabilities affecting k8s.io/kubernetes.
Total CVEs
50
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH10MEDIUM27LOW5UNKNOWN7
Vulnerabilities
Page 3 of 3
CVE-2025-0426P4MEDIUM≥ 1.32.0, < 1.32.2≥ 1.31.0, < 1.31.6+2 more2025-02-13
CVE-2025-0426 [MEDIUM] CWE-400 Node Denial of Service via kubelet Checkpoint API
Node Denial of Service via kubelet Checkpoint API
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
ghsaosv
CVE-2020-8561P4MEDIUM≥ 0, ≤ 1.22.22021-09-21
CVE-2020-8561 [MEDIUM] CWE-441 Confused Deputy in Kubernetes
Confused Deputy in Kubernetes
A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs.
ghsaosv
CVE-2021-25737P4MEDIUM≥ 1.16.0, < 1.18.19≥ 1.19.0, < 1.19.11+2 more2021-09-07
CVE-2021-25737 [MEDIUM] CWE-184 Incomplete List of Disallowed Inputs in Kubernetes
Incomplete List of Disallowed Inputs in Kubernetes
A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
ghsaosv
CVE-2020-8562P4MEDIUMCVSS 6.3≥ 1.21.0, ≤ 1.21.1≥ 1.20.0, ≤ 1.20.7+2 more2022-02-02
CVE-2020-8562 [MEDIUM] CWE-367 Potential proxy IP restriction bypass in Kubernetes
Potential proxy IP restriction bypass in Kubernetes
As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not i
ghsaosv
CVE-2024-3177P4LOW≥ 0, < 1.27.13≥ 1.29.0, < 1.29.4+1 more2024-04-23
CVE-2024-3177 [LOW] CWE-20 Kubernetes allows bypassing mountable secrets policy imposed by the ServiceAccount admission plugin
Kubernetes allows bypassing mountable secrets policy imposed by the ServiceAccount admission plugin
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field popu
ghsaosv
CVE-2021-25740P4LOW≥ 0, ≤ 1.22.22021-09-21
CVE-2021-25740 [LOW] CWE-441 Confused Deputy in Kubernetes
Confused Deputy in Kubernetes
A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack.
ghsaosv
CVE-2015-7561P4LOW≥ 0, < 1.2.0-alpha.62022-05-13
CVE-2015-7561 [LOW] Kubernetes in OpenShift3 Access Control Misconfiguration
Kubernetes in OpenShift3 Access Control Misconfiguration
Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image.
ghsaosv
CVE-2025-4563P4LOW≥ 1.32.0, < 1.32.6≥ 1.33.0, < 1.33.22025-06-23
CVE-2025-4563 [LOW] CWE-863 kubernetes allows nodes to bypass dynamic resource allocation authorization checks
kubernetes allows nodes to bypass dynamic resource allocation authorization checks
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform
ghsaosv
CVE-2021-25743P4LOW≥ 0, < 1.26.0-alpha.32022-01-08
CVE-2021-25743 [LOW] CWE-150 kubectl ANSI escape characters not filtered
kubectl ANSI escape characters not filtered
kubectl (k8s.io/kubernetes/pkg/kubectl) does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events.
ghsaosv
CVE-2024-7598P4UNKNOWN≥ 1.3.02025-03-25
CVE-2024-7598 Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes
Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes
Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes
osv
← Previous3 / 3