Vulnerabilities > Kubernetes > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-10-30 | CVE-2021-25736 | Unspecified vulnerability in Kubernetes Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].port”) as a LoadBalancer Service when the LoadBalancer controller does not set the “status.loadBalancer.ingress[].ip” field. | 6.3 |
2023-10-25 | CVE-2022-4886 | Unspecified vulnerability in Kubernetes Ingress-Nginx Ingress-nginx `path` sanitization can be bypassed with `log_format` directive. | 6.5 |
2023-09-15 | CVE-2022-3466 | Incorrect Default Permissions vulnerability in multiple products The version of cri-o as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31, and 4.11.6 via RHBA-2022:6316, RHBA-2022:6257, and RHBA-2022:6658, respectively, included an incorrect version of cri-o missing the fix for CVE-2022-27652, which was previously fixed in OCP 4.9.41 and 4.10.12 via RHBA-2022:5433 and RHSA-2022:1600. | 5.3 |
2023-07-03 | CVE-2023-2727 | Unspecified vulnerability in Kubernetes Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. | 6.5 |
2023-07-03 | CVE-2023-2728 | Unspecified vulnerability in Kubernetes Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. | 6.5 |
2023-06-16 | CVE-2023-2431 | A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. | 5.5 |
2023-06-07 | CVE-2023-2878 | Information Exposure Through Log Files vulnerability in Kubernetes Secrets-Store-Csi-Driver Kubernetes secrets-store-csi-driver in versions before 1.3.3 discloses service account tokens in logs. | 5.5 |
2023-05-24 | CVE-2021-25748 | Unspecified vulnerability in Kubernetes Ingress-Nginx A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group) to obtain the credentials of the ingress-nginx controller. | 6.5 |
2023-03-01 | CVE-2022-3162 | Path Traversal vulnerability in Kubernetes Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. | 6.5 |
2022-04-18 | CVE-2022-27652 | Incorrect Default Permissions vulnerability in multiple products A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. | 5.3 |