Vulnerabilities > Kubernetes

DATE CVE VULNERABILITY TITLE RISK
2019-08-29 CVE-2019-11246 Path Traversal vulnerability in Kubernetes
The kubectl cp command allows copying files between containers and the user machine.
network
low complexity
kubernetes CWE-22
6.5
2019-08-29 CVE-2019-11245 Permissions, Privileges, and Access Controls vulnerability in Kubernetes 1.13.6/1.14.2
In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node.
local
low complexity
kubernetes CWE-264
7.8
2019-04-22 CVE-2019-11244 Incorrect Permission Assignment for Critical Resource vulnerability in multiple products
In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-).
local
low complexity
kubernetes netapp redhat CWE-732
5.0
2019-04-22 CVE-2019-11243 Improper Cross-boundary Removal of Sensitive Data vulnerability in multiple products
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data).
network
high complexity
kubernetes netapp CWE-212
8.1
2019-04-02 CVE-2019-9946 Always-Incorrect Control Flow Implementation vulnerability in multiple products
Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes.
network
low complexity
kubernetes cncf netapp CWE-670
7.5
2019-04-01 CVE-2019-1002101 Link Following vulnerability in multiple products
The kubectl cp command allows copying files between containers and the user machine.
local
low complexity
kubernetes redhat CWE-59
5.5
2019-04-01 CVE-2019-1002100 Allocation of Resources Without Limits or Throttling vulnerability in multiple products
In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g.
network
low complexity
kubernetes redhat CWE-770
6.5
2019-01-03 CVE-2018-18264 Missing Authentication for Critical Function vulnerability in Kubernetes Dashboard
Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster.
network
low complexity
kubernetes CWE-306
7.5
2018-12-05 CVE-2018-1002105 7PK - Errors vulnerability in multiple products
In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.
network
low complexity
kubernetes redhat netapp CWE-388
critical
9.8
2018-12-05 CVE-2018-1002103 Cross-Site Request Forgery (CSRF) vulnerability in Kubernetes Minikube
In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000.
network
low complexity
kubernetes CWE-352
8.8