Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Kubernetes
(Kubernetes)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 56 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2016-02-03 | CVE-2016-1905 | The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object. | Kubernetes | 7.7 | ||
| 2016-02-03 | CVE-2016-1906 | Openshift allows remote attackers to gain privileges by updating a build configuration that was created with an allowed type to a type that is not allowed. | Kubernetes | 9.8 | ||
| 2016-04-11 | CVE-2015-7528 | Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitrary pod logs via a container name. | Kubernetes, Openshift | 5.3 | ||
| 2018-09-10 | CVE-2016-7075 | It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authentication requirements by using a specially crafted X.509 certificate. | Kubernetes, Openshift | 8.1 | ||
| 2017-08-07 | CVE-2015-7561 | Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image. | Kubernetes, Openshift | 3.1 | ||
| 2019-08-29 | CVE-2019-11250 | The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected. | Kubernetes, Openshift_container_platform | 6.5 | ||
| 2020-07-23 | CVE-2019-11252 | The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes. | Kubernetes | N/A | ||
| 2020-04-01 | CVE-2019-11254 | The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML. | Kubernetes | N/A | ||
| 2019-08-29 | CVE-2019-11249 | The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the... | Kubernetes | 6.5 | ||
| 2020-02-03 | CVE-2019-11251 | The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree. | Kubernetes | N/A |