Vulnerabilities > Kubernetes > High
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-10-29 | CVE-2021-25742 | A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. | 7.1 |
2021-09-20 | CVE-2021-25741 | Files or Directories Accessible to External Parties vulnerability in Kubernetes A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. | 8.1 |
2020-07-27 | CVE-2020-8558 | Unspecified vulnerability in Kubernetes The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. low complexity kubernetes | 8.8 |
2019-10-17 | CVE-2019-11253 | XML Entity Expansion vulnerability in multiple products Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. | 7.5 |
2019-08-29 | CVE-2019-11248 | Missing Authorization vulnerability in Kubernetes The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. | 8.2 |
2019-08-29 | CVE-2019-11247 | Incorrect Authorization vulnerability in multiple products The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. | 8.1 |
2019-08-29 | CVE-2019-11245 | Permissions, Privileges, and Access Controls vulnerability in Kubernetes 1.13.6/1.14.2 In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. | 7.8 |
2019-04-22 | CVE-2019-11243 | Improper Cross-boundary Removal of Sensitive Data vulnerability in multiple products In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). | 8.1 |
2019-04-02 | CVE-2019-9946 | Always-Incorrect Control Flow Implementation vulnerability in multiple products Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. | 7.5 |
2019-01-03 | CVE-2018-18264 | Missing Authentication for Critical Function vulnerability in Kubernetes Dashboard Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster. | 7.5 |