Vulnerabilities > Kubernetes
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-04-22 | CVE-2019-11243 | Credentials Management vulnerability in Kubernetes In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). | 4.3 |
| 2019-04-02 | CVE-2019-9946 | Always-Incorrect Control Flow Implementation vulnerability in multiple products Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. | 7.5 |
| 2019-04-01 | CVE-2019-1002101 | Link Following vulnerability in multiple products The kubectl cp command allows copying files between containers and the user machine. | 5.5 |
| 2019-04-01 | CVE-2019-1002100 | Allocation of Resources Without Limits or Throttling vulnerability in multiple products In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. | 6.5 |
| 2019-01-03 | CVE-2018-18264 | Missing Authentication for Critical Function vulnerability in Kubernetes Dashboard Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster. | 7.5 |
| 2018-12-05 | CVE-2018-1002105 | 7PK - Errors vulnerability in multiple products In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection. | 9.8 |
| 2018-12-05 | CVE-2018-1002103 | Cross-Site Request Forgery (CSRF) vulnerability in Kubernetes Minikube In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000. | 6.8 |
| 2018-12-05 | CVE-2018-1002101 | Unspecified vulnerability in Kubernetes In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection. | 7.5 |
| 2018-09-10 | CVE-2016-7075 | Improper Certificate Validation vulnerability in multiple products It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X.509 client intermediate certificate host name fields. | 8.1 |
| 2018-06-02 | CVE-2018-1002100 | Improper Input Validation vulnerability in Kubernetes In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files. | 3.6 |