Vulnerabilities > Kubernetes > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-04-18 | CVE-2022-27652 | Incorrect Default Permissions vulnerability in multiple products A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. | 4.6 |
| 2022-02-09 | CVE-2022-0532 | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products An incorrect sysctls validation vulnerability was found in CRI-O 1.18 and earlier. | 4.9 |
| 2021-10-29 | CVE-2021-25742 | A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. | 5.5 |
| 2021-10-11 | CVE-2021-25738 | Deserialization of Untrusted Data vulnerability in Kubernetes Java Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution. | 6.7 |
| 2021-09-20 | CVE-2020-8561 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Kubernetes 1.20.11/1.21.5/1.22.2 A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. | 4.0 |
| 2021-09-20 | CVE-2021-25741 | Files or Directories Accessible to External Parties vulnerability in Kubernetes A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. | 5.5 |
| 2021-09-06 | CVE-2021-25735 | Unspecified vulnerability in Kubernetes A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. | 6.5 |
| 2021-09-06 | CVE-2021-25737 | Open Redirect vulnerability in Kubernetes A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. | 4.9 |
| 2021-01-21 | CVE-2020-8569 | NULL Pointer Dereference vulnerability in Kubernetes Container Storage Interface Snapshotter Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. | 4.0 |
| 2021-01-21 | CVE-2020-8568 | Path Traversal vulnerability in Kubernetes Secrets Store CSI Driver 0.0.15/0.0.16 Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. | 4.9 |