Vulnerabilities > Kubernetes > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-02-09 CVE-2022-0532 Incorrect Permission Assignment for Critical Resource vulnerability in multiple products
An incorrect sysctls validation vulnerability was found in CRI-O 1.18 and earlier.
network
high complexity
kubernetes redhat CWE-732
4.2
2021-10-11 CVE-2021-25738 Deserialization of Untrusted Data vulnerability in Kubernetes Java
Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.
local
low complexity
kubernetes CWE-502
6.7
2021-09-20 CVE-2020-8561 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Kubernetes 1.20.11/1.21.5/1.22.2
A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver.
network
low complexity
kubernetes CWE-610
4.1
2021-09-06 CVE-2021-25735 Unspecified vulnerability in Kubernetes
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook.
network
low complexity
kubernetes
6.5
2021-09-06 CVE-2021-25737 Open Redirect vulnerability in Kubernetes
A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node.
network
low complexity
kubernetes CWE-601
4.8
2021-01-21 CVE-2020-8569 NULL Pointer Dereference vulnerability in Kubernetes Container Storage Interface Snapshotter
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass.
network
low complexity
kubernetes CWE-476
6.5
2021-01-21 CVE-2020-8568 Path Traversal vulnerability in Kubernetes Secrets Store CSI Driver 0.0.15/0.0.16
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets.
network
low complexity
kubernetes CWE-22
6.5
2021-01-21 CVE-2020-8554 Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address.
network
high complexity
kubernetes oracle
5.0
2020-12-07 CVE-2020-8566 Information Exposure Through Log Files vulnerability in Kubernetes
In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs.
local
low complexity
kubernetes CWE-532
5.5
2020-12-07 CVE-2020-8565 Information Exposure Through Log Files vulnerability in Kubernetes
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files.
local
low complexity
kubernetes CWE-532
5.5