Vulnerabilities > Kubernetes

DATE CVE VULNERABILITY TITLE RISK
2021-01-21 CVE-2020-8570 Path Traversal vulnerability in Kubernetes Java
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive.
network
low complexity
kubernetes CWE-22
6.4
2021-01-21 CVE-2020-8569 Null Pointer Dereference vulnerability in Kubernetes Container Storage Interface Snapshotter
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass.
network
low complexity
kubernetes CWE-476
4.0
2021-01-21 CVE-2020-8568 Path Traversal vulnerability in Kubernetes Secrets Store CSI Driver 0.0.15/0.0.16
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets.
network
kubernetes CWE-22
4.9
2021-01-21 CVE-2020-8554 Incorrect Authorization vulnerability in Kubernetes
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address.
6.0
2020-12-07 CVE-2020-8566 Information Exposure Through LOG Files vulnerability in Kubernetes
In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs.
local
low complexity
kubernetes CWE-532
2.1
2020-12-07 CVE-2020-8565 Information Exposure Through LOG Files vulnerability in Kubernetes
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files.
local
low complexity
kubernetes CWE-532
2.1
2020-12-07 CVE-2020-8564 Information Exposure Through LOG Files vulnerability in Kubernetes
In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials.
local
low complexity
kubernetes CWE-532
2.1
2020-12-07 CVE-2020-8563 Information Exposure Through LOG Files vulnerability in Kubernetes
In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log.
local
low complexity
kubernetes CWE-532
2.1
2020-07-29 CVE-2020-8553 Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Kubernetes Ingress-Nginx
The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyphenated namespace or secret name.
4.9
2020-07-27 CVE-2020-8558 Improper Authentication vulnerability in Kubernetes
The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace.
low complexity
kubernetes CWE-287
5.8