Latest Kubernetes Security Vulnerabilities

DATE CVE VULNERABILITY TITLE RISK
2020-07-29 CVE-2020-8553 Externally Controlled Reference TO A Resource in Another Sphere vulnerability in Kubernetes Ingress-Nginx
The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyphenated namespace or secret name.
4.9
2020-07-27 CVE-2020-8558 Improper Authentication vulnerability in Kubernetes
The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace.
low complexity
kubernetes CWE-287
5.8
2020-07-23 CVE-2020-8557 Resource Exhaustion vulnerability in Kubernetes
The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file.
local
low complexity
kubernetes CWE-400
2.1
2020-07-23 CVE-2019-11252 Information Exposure Through AN Error Message vulnerability in Kubernetes
The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes.
network
low complexity
kubernetes CWE-209
5.0
2020-07-22 CVE-2020-8559 Open Redirect vulnerability in Kubernetes
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
6.0
2020-06-05 CVE-2020-8555 Server-Side Request Forgery (SSRF) vulnerability in Kubernetes
The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).
3.5
2020-04-01 CVE-2019-11254 Resource Exhaustion vulnerability in Kubernetes
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
network
low complexity
kubernetes CWE-400
4.0
2020-03-27 CVE-2020-8551 Allocation of Resources Without Limits OR Throttling vulnerability in Kubernetes
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
low complexity
kubernetes CWE-770
3.3
2020-03-27 CVE-2020-8552 Allocation of Resources Without Limits OR Throttling vulnerability in Kubernetes
The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests.
network
low complexity
kubernetes CWE-770
4.0
2020-02-03 CVE-2019-11251 Link Following vulnerability in Kubernetes
The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation.
4.3