Vulnerabilities > Kubernetes
|2021-01-21||CVE-2020-8570|| Path Traversal vulnerability in Kubernetes Java |
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive.
| 6.4 |
|2021-01-21||CVE-2020-8569|| Null Pointer Dereference vulnerability in Kubernetes Container Storage Interface Snapshotter |
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass.
| 4.0 |
|2021-01-21||CVE-2020-8568|| Path Traversal vulnerability in Kubernetes Secrets Store CSI Driver 0.0.15/0.0.16 |
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets.
| 4.9 |
|2021-01-21||CVE-2020-8554|| Incorrect Authorization vulnerability in Kubernetes |
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address.
| 6.0 |
|2020-12-07||CVE-2020-8566|| Information Exposure Through LOG Files vulnerability in Kubernetes |
In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs.
| 2.1 |
|2020-12-07||CVE-2020-8565|| Information Exposure Through LOG Files vulnerability in Kubernetes |
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files.
| 2.1 |
|2020-12-07||CVE-2020-8564|| Information Exposure Through LOG Files vulnerability in Kubernetes |
In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials.
| 2.1 |
|2020-12-07||CVE-2020-8563|| Information Exposure Through LOG Files vulnerability in Kubernetes |
In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log.
| 2.1 |
|2020-07-29||CVE-2020-8553|| Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Kubernetes Ingress-Nginx |
The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyphenated namespace or secret name.
| 4.9 |
|2020-07-27||CVE-2020-8558|| Improper Authentication vulnerability in Kubernetes |
The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace.
| 5.8 |