Vulnerabilities > Kubernetes > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-10-30 CVE-2021-25736 Unspecified vulnerability in Kubernetes
Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].port”) as a LoadBalancer Service when the LoadBalancer controller does not set the “status.loadBalancer.ingress[].ip” field.
network
high complexity
kubernetes
6.3
2023-10-25 CVE-2022-4886 Unspecified vulnerability in Kubernetes Ingress-Nginx
Ingress-nginx `path` sanitization can be bypassed with `log_format` directive.
network
low complexity
kubernetes
6.5
2023-09-15 CVE-2022-3466 Incorrect Default Permissions vulnerability in multiple products
The version of cri-o as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31, and 4.11.6 via RHBA-2022:6316, RHBA-2022:6257, and RHBA-2022:6658, respectively, included an incorrect version of cri-o missing the fix for CVE-2022-27652, which was previously fixed in OCP 4.9.41 and 4.10.12 via RHBA-2022:5433 and RHSA-2022:1600.
local
low complexity
kubernetes redhat CWE-276
5.3
2023-07-03 CVE-2023-2727 Unspecified vulnerability in Kubernetes
Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers.
network
low complexity
kubernetes
6.5
2023-07-03 CVE-2023-2728 Unspecified vulnerability in Kubernetes
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers.
network
low complexity
kubernetes
6.5
2023-06-16 CVE-2023-2431 A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement.
local
low complexity
kubernetes fedoraproject
5.5
2023-06-07 CVE-2023-2878 Information Exposure Through Log Files vulnerability in Kubernetes Secrets-Store-Csi-Driver
Kubernetes secrets-store-csi-driver in versions before 1.3.3 discloses service account tokens in logs.
local
low complexity
kubernetes CWE-532
5.5
2023-05-24 CVE-2021-25748 Unspecified vulnerability in Kubernetes Ingress-Nginx
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group) to obtain the credentials of the ingress-nginx controller.
network
low complexity
kubernetes
6.5
2023-03-01 CVE-2022-3162 Path Traversal vulnerability in Kubernetes
Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization.
network
low complexity
kubernetes CWE-22
6.5
2022-04-18 CVE-2022-27652 Incorrect Default Permissions vulnerability in multiple products
A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions.
5.3