Skip to main content

Kubernetes

603 CVEs product

Monthly

CVE-2020-8555 Go MEDIUM PATCH This Month

The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable. No vendor patch available.

Kubernetes SSRF Fedora
NVD GitHub
CVSS 3.1
6.3
EPSS
3.7%
CVE-2020-7010 Go HIGH PATCH This Week

Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Kubernetes Elastic Information Disclosure Elastic Cloud On Kubernetes
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2020-10749 Go MEDIUM PATCH This Month

A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. No vendor patch available.

Kubernetes Information Disclosure Cni Network Plugins Openshift Container Platform Fedora +1
NVD
CVSS 3.1
6.0
EPSS
2.4%
CVE-2020-11013 Go MEDIUM POC PATCH This Month

Their is an information disclosure vulnerability in Helm from version 3.1.0 and before version 3.2.0. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Kubernetes Information Disclosure Helm
NVD GitHub
CVSS 3.1
5.0
EPSS
1.3%
CVE-2020-7922 MEDIUM This Month

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Kubernetes Information Disclosure Mongodb Enterprise Kubernetes Operator
NVD GitHub
CVSS 3.1
6.5
EPSS
0.7%
CVE-2020-8552 Go MEDIUM PATCH This Month

The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Kubernetes Denial Of Service Fedora
NVD GitHub
CVSS 3.1
4.3
EPSS
2.4%
CVE-2020-8551 Go MEDIUM PATCH This Month

The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity.

Denial Of Service Kubernetes Fedora
NVD GitHub
CVSS 3.1
6.5
EPSS
1.1%
CVE-2020-1753 PyPI MEDIUM POC PATCH This Month

A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Kubernetes Information Disclosure Ansible Engine Ansible Tower Debian Linux +1
NVD GitHub
CVSS 3.1
5.5
EPSS
0.5%
CVE-2020-2121 Maven HIGH PATCH This Week

Jenkins Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Kubernetes RCE Jenkins Google Kubernetes Engine
NVD
CVSS 3.1
8.8
EPSS
2.7%
CVE-2019-19922 MEDIUM POC PATCH This Month

kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Denial Of Service Linux Kubernetes Linux Kernel Sd Wan Edge +12
NVD GitHub
CVSS 3.1
5.5
EPSS
0.9%
CVE-2019-16576 Maven MEDIUM This Month

A missing permission check in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Kubernetes Alauda Kubernetes Support
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2019-16575 Maven HIGH This Week

A cross-site request forgery vulnerability in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Kubernetes CSRF Alauda Kubernetes Support
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2019-11255 Go MEDIUM PATCH This Month

Improper input validation in Kubernetes CSI sidecar containers for external-provisioner (<v0.4.3, <v1.0.2, v1.1, <v1.2.2, <v1.3.1), external-snapshotter (<v0.4.2, <v1.0.2, v1.1, <1.2.2), and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Kubernetes External Provisioner External Resizer External Snapshotter +1
NVD GitHub
CVSS 3.1
6.5
EPSS
1.8%
CVE-2019-10470 Maven MEDIUM This Month

A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Jenkins Kubernetes Kubernetes Ci
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2019-10469 Maven MEDIUM This Month

A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Jenkins Kubernetes Kubernetes Ci
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2019-10468 Maven HIGH This Week

A cross-site request forgery vulnerability in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Kubernetes CSRF Kubernetes Ci
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2019-11253 Go HIGH POC PATCH THREAT This Week

Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Kubernetes Openshift Container Platform
NVD GitHub
CVSS 3.1
7.5
EPSS
25.9%
CVE-2019-10445 Maven MEDIUM PATCH This Month

A missing permission check in Jenkins Google Kubernetes Engine Plugin 0.7.0 and earlier allowed attackers with Overall/Read permission to obtain limited information about the scope of a credential. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Kubernetes Google Google Kubernetes Engine
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2019-10418 Maven CRITICAL Act Now

Jenkins Kubernetes :: Pipeline :: Arquillian Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Kubernetes Kubernetes Pipeline
NVD
CVSS 3.1
9.9
EPSS
1.2%
CVE-2019-10417 Maven CRITICAL Act Now

Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Kubernetes Kubernetes Pipeline
NVD
CVSS 3.1
9.9
EPSS
1.2%
CVE-2019-15728 HIGH This Week

An issue was discovered in GitLab Community and Enterprise Edition 10.1 through 12.2.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Kubernetes SSRF Gitlab
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2019-6648 MEDIUM This Month

On version 1.9.0, If DEBUG logging is enable, F5 Container Ingress Service (CIS) for Kubernetes and Red Hat OpenShift (k8s-bigip-ctlr) log files may contain BIG-IP secrets such as SSL Private Keys. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Kubernetes Red Hat Container Ingress Service Openshift
NVD
CVSS 3.1
4.4
EPSS
0.3%
CVE-2019-13209 Go MEDIUM PATCH This Month

Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Kubernetes Rancher
NVD
CVSS 3.0
6.1
EPSS
1.1%
CVE-2019-11250 Go MEDIUM PATCH This Month

The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Kubernetes Openshift Container Platform
NVD GitHub
CVSS 3.1
6.5
EPSS
1.8%
CVE-2019-11249 MEDIUM PATCH This Month

The kubectl cp command allows copying files between containers and the user machine. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Kubernetes Openshift Container Platform
NVD GitHub
CVSS 3.1
6.5
EPSS
3.7%
CVE-2019-11248 HIGH POC PATCH THREAT This Week

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Kubernetes
NVD GitHub
CVSS 3.1
8.2
EPSS
61.1%
CVE-2019-11247 Go HIGH PATCH This Week

The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Kubernetes Openshift Container Platform
NVD GitHub
CVSS 3.1
8.1
EPSS
2.1%
CVE-2019-11246 MEDIUM PATCH This Month

The kubectl cp command allows copying files between containers and the user machine. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Kubernetes
NVD GitHub
CVSS 3.1
6.5
EPSS
3.6%
CVE-2019-11245 Go HIGH POC PATCH This Week

In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Kubernetes
NVD GitHub
CVSS 3.0
7.8
EPSS
0.6%
CVE-2019-10365 Maven MEDIUM PATCH This Month

Jenkins Google Kubernetes Engine Plugin 0.6.2 and earlier created a temporary file containing a temporary access token in the project workspace, where it could be accessed by users with Job/Read. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Jenkins Kubernetes Information Disclosure Kubernetes Engine
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2019-10165 LOW PATCH Monitor

OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity.

Information Disclosure Kubernetes Openshift Container Platform
NVD GitHub
CVSS 3.1
2.3
EPSS
0.4%
CVE-2019-10339 Maven HIGH PATCH This Week

A missing permission check in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed users with Overall/Read access to have Jenkins connect to an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Kubernetes Jx Resources
NVD
CVSS 3.1
8.8
EPSS
1.8%
CVE-2019-10338 Maven HIGH PATCH This Week

A cross-site request forgery vulnerability in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed attackers to have Jenkins connect to an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Kubernetes CSRF Jx Resources
NVD
CVSS 3.0
8.8
EPSS
1.0%
CVE-2019-4119 MEDIUM PATCH This Month

IBM Cloud Private Kubernetes API server 2.1.0, 3.1.0, 3.1.1, and 3.1.2 can be used as an HTTP proxy to not only cluster internal but also external target IP addresses. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Information Disclosure Kubernetes Cloud Private
NVD
CVSS 3.1
5.3
EPSS
1.0%
CVE-2019-11244 Go MEDIUM PATCH This Month

In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Kubernetes Trident Openshift Container Platform
NVD GitHub
CVSS 3.1
5.0
EPSS
0.5%
CVE-2019-11243 Go HIGH PATCH This Week

In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Kubernetes Trident
NVD GitHub
CVSS 3.1
8.1
EPSS
1.5%
CVE-2019-9946 HIGH PATCH This Week

Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Kubernetes Portmap Cloud Insights
NVD GitHub
CVSS 3.0
7.5
EPSS
3.1%
CVE-2019-1002101 Go MEDIUM PATCH This Month

The kubectl cp command allows copying files between containers and the user machine. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.

Information Disclosure Kubernetes Openshift Container Platform
NVD GitHub
CVSS 3.0
5.5
EPSS
13.2%
CVE-2019-1002100 Go MEDIUM PATCH This Month

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Kubernetes Openshift Container Platform
NVD GitHub
CVSS 3.1
6.5
EPSS
10.6%
CVE-2019-3869 HIGH PATCH This Week

When running Tower before 3.4.3 on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environment variables. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Kubernetes Ansible Tower
NVD GitHub
CVSS 3.1
7.2
EPSS
1.3%
CVE-2019-3780 HIGH This Week

Cloud Foundry Container Runtime, versions prior to 0.28.0, deploys K8s worker nodes that contains a configuration file with IAAS credentials. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Kubernetes Container Runtime
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2019-3779 HIGH This Week

Cloud Foundry Container Runtime, versions prior to 0.29.0, deploys Kubernetes clusters utilize the same CA (Certificate Authority) to sign and trust certs for ETCD as used by the Kubernetes API. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Kubernetes Container Runtime
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2018-1002105 Go CRITICAL POC PATCH THREAT Act Now

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Kubernetes Openshift Container Platform Trident
NVD GitHub Exploit-DB
CVSS 3.0
9.8
EPSS
87.0%
CVE-2018-1002103 Go HIGH This Week

In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF RCE Kubernetes Minikube
NVD GitHub
CVSS 3.0
8.8
EPSS
0.7%
CVE-2018-1002101 Go CRITICAL PATCH Act Now

In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Microsoft Kubernetes
NVD GitHub
CVSS 3.0
9.8
EPSS
4.1%
CVE-2018-18843 CRITICAL POC Act Now

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4.4 has SSRF. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Gitlab SSRF Kubernetes
NVD
CVSS 3.0
10.0
EPSS
1.6%
CVE-2018-2475 HIGH This Week

Following the Gardener architecture, the Kubernetes apiserver of a Gardener managed shoot cluster resides in the corresponding seed cluster. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Kubernetes Gardener
NVD
CVSS 3.0
8.5
EPSS
1.3%
CVE-2018-10937 MEDIUM POC PATCH This Month

A cross site scripting flaw exists in the tetonic-console component of Openshift Container Platform 3.11. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Kubernetes Openshift Container Platform
NVD GitHub
CVSS 3.0
5.4
EPSS
1.1%
CVE-2018-1999040 Maven HIGH PATCH This Week

An exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.10.1 and earlier in KubernetesCloud.java that allows attackers to capture credentials with a known credentials. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Kubernetes Jenkins Information Disclosure
NVD
CVSS 3.0
8.8
EPSS
1.4%
CVE-2018-5543 HIGH This Week

The F5 BIG-IP Controller for Kubernetes 1.0.0-1.5.0 (k8s-bigip-crtl) passes BIG-IP username and password as command line parameters, which may lead to disclosure of the credentials used by the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Kubernetes Big Ip Controller
NVD
CVSS 3.0
8.8
EPSS
1.2%
CVE-2018-1000187 Maven MEDIUM PATCH This Month

A exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.7.0 and older in ContainerExecDecorator.java that results in sensitive variables such as passwords being. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Kubernetes Jenkins Information Disclosure
NVD
CVSS 3.0
6.5
EPSS
1.3%
CVE-2018-1002100 Go MEDIUM PATCH This Month

In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Kubernetes
NVD GitHub
CVSS 3.0
5.5
EPSS
1.6%
CVE-2018-1000400 HIGH PATCH This Week

Kubernetes CRI-O version prior to 1.9 contains a Privilege Context Switching Error (CWE-270) vulnerability in the handling of ambient capabilities that can result in containers running with elevated. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Kubernetes Cri O
NVD GitHub
CVSS 3.0
8.8
EPSS
2.1%
CVE-2018-5256 HIGH This Week

CoreOS Tectonic 1.7.x before 1.7.9-tectonic.4 and 1.8.x before 1.8.4-tectonic.3 mounts a direct proxy to the kubernetes cluster at /api/kubernetes/ which is accessible without authentication to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Kubernetes Information Disclosure Tectonic
NVD
CVSS 3.1
7.5
EPSS
1.7%
CVE-2018-0268 CRITICAL Act Now

A vulnerability in the container management subsystem of Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to bypass authentication and gain elevated. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Kubernetes Cisco Digital Network Architecture Center
NVD
CVSS 3.0
10.0
EPSS
5.4%
CVE-2017-1002100 MEDIUM PATCH This Month

Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to "container" which exposes a URI that can be accessed. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Microsoft Kubernetes Information Disclosure
NVD GitHub
CVSS 3.0
6.5
EPSS
0.3%
CVE-2015-7561 Go LOW PATCH Monitor

Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable.

Kubernetes Privilege Escalation Openshift
NVD GitHub
CVSS 3.0
3.1
EPSS
0.2%
CVE-2017-1000056 Go CRITICAL PATCH Act Now

Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability to make use of any existing PodSecurityPolicy object. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Kubernetes Authentication Bypass Privilege Escalation
NVD GitHub
CVSS 3.0
9.8
EPSS
0.3%
CVE-2016-5392 MEDIUM This Month

The API server in Kubernetes, as used in Red Hat OpenShift Enterprise 3.2, in a multi tenant environment allows remote authenticated users with knowledge of other project names to obtain sensitive. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Kubernetes Red Hat Information Disclosure Openshift
NVD
CVSS 3.0
6.5
EPSS
0.2%
CVE-2015-7528 Go MEDIUM PATCH This Month

Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitrary pod logs via a container name. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Kubernetes Information Disclosure Openshift
NVD GitHub
CVSS 3.0
5.3
EPSS
0.4%
CVE-2016-1906 Go CRITICAL PATCH Act Now

Openshift allows remote attackers to gain privileges by updating a build configuration that was created with an allowed type to a type that is not allowed. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Privilege Escalation Kubernetes
NVD GitHub
CVSS 3.0
9.8
EPSS
2.5%
CVE-2016-1905 Go HIGH PATCH This Week

The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity.

Kubernetes Authentication Bypass
NVD GitHub
CVSS 3.0
7.7
EPSS
0.2%
CVE-2015-5305 Go MEDIUM PATCH This Month

Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Kubernetes Red Hat Openshift
NVD
CVSS 2.0
6.4
EPSS
0.3%
EPSS 4% CVSS 6.3
MEDIUM PATCH This Month

The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable. No vendor patch available.

Kubernetes SSRF Fedora
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Kubernetes Elastic Information Disclosure +1
NVD
EPSS 2% CVSS 6.0
MEDIUM PATCH This Month

A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. No vendor patch available.

Kubernetes Information Disclosure Cni Network Plugins +3
NVD
EPSS 1% CVSS 5.0
MEDIUM POC PATCH This Month

Their is an information disclosure vulnerability in Helm from version 3.1.0 and before version 3.2.0. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Kubernetes Information Disclosure Helm
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Kubernetes Information Disclosure Mongodb Enterprise Kubernetes Operator
NVD GitHub
EPSS 2% CVSS 4.3
MEDIUM PATCH This Month

The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Kubernetes Denial Of Service Fedora
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity.

Denial Of Service Kubernetes Fedora
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Kubernetes Information Disclosure Ansible Engine +3
NVD GitHub
EPSS 3% CVSS 8.8
HIGH PATCH This Week

Jenkins Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Kubernetes RCE +2
NVD
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Denial Of Service Linux Kubernetes +14
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

A missing permission check in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Kubernetes +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A cross-site request forgery vulnerability in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Kubernetes CSRF +1
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Improper input validation in Kubernetes CSI sidecar containers for external-provisioner (<v0.4.3, <v1.0.2, v1.1, <v1.2.2, <v1.3.1), external-snapshotter (<v0.4.2, <v1.0.2, v1.1, <1.2.2), and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Kubernetes External Provisioner +3
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Jenkins Kubernetes +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Jenkins Kubernetes +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A cross-site request forgery vulnerability in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Kubernetes CSRF +1
NVD
EPSS 26% CVSS 7.5
HIGH POC PATCH THREAT This Week

Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Kubernetes Openshift Container Platform
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

A missing permission check in Jenkins Google Kubernetes Engine Plugin 0.7.0 and earlier allowed attackers with Overall/Read permission to obtain limited information about the scope of a credential. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Kubernetes +2
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

Jenkins Kubernetes :: Pipeline :: Arquillian Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Kubernetes +1
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Kubernetes +1
NVD
EPSS 2% CVSS 7.5
HIGH This Week

An issue was discovered in GitLab Community and Enterprise Edition 10.1 through 12.2.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Kubernetes SSRF Gitlab
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

On version 1.9.0, If DEBUG logging is enable, F5 Container Ingress Service (CIS) for Kubernetes and Red Hat OpenShift (k8s-bigip-ctlr) log files may contain BIG-IP secrets such as SSL Private Keys. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Kubernetes Red Hat +2
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Kubernetes Rancher
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Kubernetes Openshift Container Platform
NVD GitHub
EPSS 4% CVSS 6.5
MEDIUM PATCH This Month

The kubectl cp command allows copying files between containers and the user machine. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Kubernetes Openshift Container Platform
NVD GitHub
EPSS 61% CVSS 8.2
HIGH POC PATCH THREAT This Week

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Kubernetes
NVD GitHub
EPSS 2% CVSS 8.1
HIGH PATCH This Week

The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Kubernetes Openshift Container Platform
NVD GitHub
EPSS 4% CVSS 6.5
MEDIUM PATCH This Month

The kubectl cp command allows copying files between containers and the user machine. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Kubernetes
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Kubernetes
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Jenkins Google Kubernetes Engine Plugin 0.6.2 and earlier created a temporary file containing a temporary access token in the project workspace, where it could be accessed by users with Job/Read. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Jenkins Kubernetes +2
NVD
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity.

Information Disclosure Kubernetes Openshift Container Platform
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

A missing permission check in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed users with Overall/Read access to have Jenkins connect to an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Kubernetes +1
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

A cross-site request forgery vulnerability in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed attackers to have Jenkins connect to an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Kubernetes CSRF +1
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

IBM Cloud Private Kubernetes API server 2.1.0, 3.1.0, 3.1.1, and 3.1.2 can be used as an HTTP proxy to not only cluster internal but also external target IP addresses. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Information Disclosure Kubernetes +1
NVD
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Kubernetes Trident +1
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Kubernetes Trident
NVD GitHub
EPSS 3% CVSS 7.5
HIGH PATCH This Week

Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Kubernetes Portmap +1
NVD GitHub
EPSS 13% CVSS 5.5
MEDIUM PATCH This Month

The kubectl cp command allows copying files between containers and the user machine. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.

Information Disclosure Kubernetes Openshift Container Platform
NVD GitHub
EPSS 11% CVSS 6.5
MEDIUM PATCH This Month

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Kubernetes Openshift Container Platform
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

When running Tower before 3.4.3 on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environment variables. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Kubernetes Ansible Tower
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Cloud Foundry Container Runtime, versions prior to 0.28.0, deploys K8s worker nodes that contains a configuration file with IAAS credentials. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Kubernetes Container Runtime
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Cloud Foundry Container Runtime, versions prior to 0.29.0, deploys Kubernetes clusters utilize the same CA (Certificate Authority) to sign and trust certs for ETCD as used by the Kubernetes API. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Kubernetes Container Runtime
NVD
EPSS 87% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Kubernetes Openshift Container Platform +1
NVD GitHub Exploit-DB
EPSS 1% CVSS 8.8
HIGH This Week

In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF RCE Kubernetes +1
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Microsoft Kubernetes
NVD GitHub
EPSS 2% CVSS 10.0
CRITICAL POC Act Now

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4.4 has SSRF. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Gitlab SSRF Kubernetes
NVD
EPSS 1% CVSS 8.5
HIGH This Week

Following the Gardener architecture, the Kubernetes apiserver of a Gardener managed shoot cluster resides in the corresponding seed cluster. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Kubernetes Gardener
NVD
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

A cross site scripting flaw exists in the tetonic-console component of Openshift Container Platform 3.11. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Kubernetes Openshift Container Platform
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

An exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.10.1 and earlier in KubernetesCloud.java that allows attackers to capture credentials with a known credentials. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Kubernetes Jenkins +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The F5 BIG-IP Controller for Kubernetes 1.0.0-1.5.0 (k8s-bigip-crtl) passes BIG-IP username and password as command line parameters, which may lead to disclosure of the credentials used by the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Kubernetes Big Ip Controller
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.7.0 and older in ContainerExecDecorator.java that results in sensitive variables such as passwords being. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Kubernetes Jenkins +1
NVD
EPSS 2% CVSS 5.5
MEDIUM PATCH This Month

In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Kubernetes
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Kubernetes CRI-O version prior to 1.9 contains a Privilege Context Switching Error (CWE-270) vulnerability in the handling of ambient capabilities that can result in containers running with elevated. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Kubernetes Cri O
NVD GitHub
EPSS 2% CVSS 7.5
HIGH This Week

CoreOS Tectonic 1.7.x before 1.7.9-tectonic.4 and 1.8.x before 1.8.4-tectonic.3 mounts a direct proxy to the kubernetes cluster at /api/kubernetes/ which is accessible without authentication to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Kubernetes Information Disclosure Tectonic
NVD
EPSS 5% CVSS 10.0
CRITICAL Act Now

A vulnerability in the container management subsystem of Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to bypass authentication and gain elevated. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Kubernetes Cisco +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to "container" which exposes a URI that can be accessed. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Microsoft Kubernetes Information Disclosure
NVD GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable.

Kubernetes Privilege Escalation Openshift
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability to make use of any existing PodSecurityPolicy object. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Kubernetes Authentication Bypass Privilege Escalation
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

The API server in Kubernetes, as used in Red Hat OpenShift Enterprise 3.2, in a multi tenant environment allows remote authenticated users with knowledge of other project names to obtain sensitive. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Kubernetes Red Hat Information Disclosure +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitrary pod logs via a container name. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Kubernetes Information Disclosure Openshift
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Openshift allows remote attackers to gain privileges by updating a build configuration that was created with an allowed type to a type that is not allowed. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Privilege Escalation Kubernetes
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity.

Kubernetes Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Kubernetes Red Hat +1
NVD
Prev Page 7 of 7

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy