Vulnerabilities > Kubernetes > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-04-22 CVE-2019-11243 Credentials Management vulnerability in Kubernetes
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data).
4.3
2019-04-01 CVE-2019-1002101 Link Following vulnerability in multiple products
The kubectl cp command allows copying files between containers and the user machine.
local
low complexity
kubernetes redhat CWE-59
5.5
2019-04-01 CVE-2019-1002100 Allocation of Resources Without Limits or Throttling vulnerability in multiple products
In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g.
network
low complexity
kubernetes redhat CWE-770
6.5
2018-12-05 CVE-2018-1002103 Cross-Site Request Forgery (CSRF) vulnerability in Kubernetes Minikube
In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000.
6.8
2018-05-18 CVE-2018-1000400 Improper Privilege Management vulnerability in Kubernetes Cri-O
Kubernetes CRI-O version prior to 1.9 contains a Privilege Context Switching Error (CWE-270) vulnerability in the handling of ambient capabilities that can result in containers running with elevated privileges, allowing users abilities they should not have.
network
low complexity
kubernetes CWE-269
6.5
2018-03-13 CVE-2017-1002102 Unspecified vulnerability in Kubernetes
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running.
local
kubernetes
6.3
2018-03-13 CVE-2017-1002101 Link Following vulnerability in Kubernetes
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem.
network
low complexity
kubernetes CWE-59
5.5
2017-09-14 CVE-2017-1002100 Information Exposure vulnerability in Kubernetes
Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to "container" which exposes a URI that can be accessed without authentication on the public internet.
network
low complexity
kubernetes CWE-200
4.0
2016-04-11 CVE-2015-7528 Information Exposure vulnerability in multiple products
Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitrary pod logs via a container name.
network
low complexity
kubernetes redhat CWE-200
5.3