Vulnerabilities > Kubernetes > Medium

DATE CVE VULNERABILITY TITLE RISK
2020-12-07 CVE-2020-8564 Information Exposure Through Log Files vulnerability in Kubernetes
In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials.
local
low complexity
kubernetes CWE-532
5.5
2020-12-07 CVE-2020-8563 Information Exposure Through Log Files vulnerability in Kubernetes
In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log.
local
low complexity
kubernetes CWE-532
5.5
2020-07-29 CVE-2020-8553 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Kubernetes Ingress-Nginx
The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyphenated namespace or secret name.
network
high complexity
kubernetes CWE-610
5.9
2020-07-23 CVE-2020-8557 Resource Exhaustion vulnerability in Kubernetes
The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file.
local
low complexity
kubernetes CWE-400
5.5
2020-07-23 CVE-2019-11252 Information Exposure Through an Error Message vulnerability in Kubernetes
The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes.
network
low complexity
kubernetes CWE-209
6.5
2020-07-22 CVE-2020-8559 Open Redirect vulnerability in Kubernetes
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
network
low complexity
kubernetes CWE-601
6.8
2020-06-05 CVE-2020-8555 Server-Side Request Forgery (SSRF) vulnerability in multiple products
The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).
network
high complexity
kubernetes fedoraproject CWE-918
6.3
2020-04-01 CVE-2019-11254 Unspecified vulnerability in Kubernetes
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
network
low complexity
kubernetes
6.5
2020-03-27 CVE-2020-8552 Allocation of Resources Without Limits or Throttling vulnerability in multiple products
The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests.
network
low complexity
kubernetes fedoraproject CWE-770
4.3
2020-03-27 CVE-2020-8551 Allocation of Resources Without Limits or Throttling vulnerability in multiple products
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
6.5