Vulnerabilities > Kubernetes > High

DATE CVE VULNERABILITY TITLE RISK
2021-10-29 CVE-2021-25742 A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster.
network
low complexity
kubernetes netapp
7.1
2021-09-20 CVE-2021-25741 Files or Directories Accessible to External Parties vulnerability in Kubernetes
A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.
network
low complexity
kubernetes CWE-552
8.1
2020-07-27 CVE-2020-8558 Unspecified vulnerability in Kubernetes
The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace.
low complexity
kubernetes
8.8
2019-10-17 CVE-2019-11253 XML Entity Expansion vulnerability in multiple products
Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable.
network
low complexity
kubernetes redhat CWE-776
7.5
2019-08-29 CVE-2019-11248 Missing Authorization vulnerability in Kubernetes
The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port.
network
low complexity
kubernetes CWE-862
8.2
2019-08-29 CVE-2019-11247 Incorrect Authorization vulnerability in multiple products
The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced.
network
low complexity
kubernetes redhat CWE-863
8.1
2019-08-29 CVE-2019-11245 Permissions, Privileges, and Access Controls vulnerability in Kubernetes 1.13.6/1.14.2
In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node.
local
low complexity
kubernetes CWE-264
7.8
2019-04-22 CVE-2019-11243 Improper Cross-boundary Removal of Sensitive Data vulnerability in multiple products
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data).
network
high complexity
kubernetes netapp CWE-212
8.1
2019-04-02 CVE-2019-9946 Always-Incorrect Control Flow Implementation vulnerability in multiple products
Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes.
network
low complexity
kubernetes cncf netapp CWE-670
7.5
2019-01-03 CVE-2018-18264 Missing Authentication for Critical Function vulnerability in Kubernetes Dashboard
Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster.
network
low complexity
kubernetes CWE-306
7.5