Filtered by vendor Kubernetes Subscriptions
Total 97 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2018-1002102 3 Fedoraproject, Kubernetes, Redhat 3 Fedora, Kubernetes, Openshift 2024-11-21 2.6 Low
Improper validation of URL redirection in the Kubernetes API server in versions prior to v1.14.0 allows an attacker-controlled Kubelet to redirect API server requests from streaming endpoints to arbitrary hosts. Impacted API servers will follow the redirect as a GET request with client-certificate credentials for authenticating to the Kubelet.
CVE-2018-1002101 1 Kubernetes 1 Kubernetes 2024-11-21 N/A
In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection.
CVE-2018-1002100 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-11-21 N/A
In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.
CVE-2018-1000400 2 Kubernetes, Redhat 2 Cri-o, Openshift 2024-11-21 N/A
Kubernetes CRI-O version prior to 1.9 contains a Privilege Context Switching Error (CWE-270) vulnerability in the handling of ambient capabilities that can result in containers running with elevated privileges, allowing users abilities they should not have. This attack appears to be exploitable via container execution. This vulnerability appears to have been fixed in 1.9.
CVE-2017-1002102 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-11-21 N/A
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running.
CVE-2017-1002101 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-11-21 N/A
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem.
CVE-2017-1002100 1 Kubernetes 1 Kubernetes 2024-11-21 N/A
Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to "container" which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal.
CVE-2017-1000056 1 Kubernetes 1 Kubernetes 2024-11-21 N/A
Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability to make use of any existing PodSecurityPolicy object.
CVE-2016-7075 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-11-21 N/A
It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authentication requirements by using a specially crafted X.509 certificate.
CVE-2016-1906 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-11-21 N/A
Openshift allows remote attackers to gain privileges by updating a build configuration that was created with an allowed type to a type that is not allowed.
CVE-2016-1905 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-11-21 N/A
The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object.
CVE-2015-7561 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-11-21 N/A
Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image.
CVE-2015-7528 2 Kubernetes, Redhat 2 Kubernetes, Openshift 2024-11-21 N/A
Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitrary pod logs via a container name.
CVE-2024-9486 1 Kubernetes 1 Image Builder 2024-11-08 9.8 Critical
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.
CVE-2024-9594 1 Kubernetes 1 Image Builder 2024-11-08 6.3 Medium
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The credentials are disabled at the conclusion of the image build process. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project. Because these images were vulnerable during the image build process, they are affected only if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring.
CVE-2024-45794 1 Kubernetes 1 Devtron 2024-11-08 8.3 High
devtron is an open source tool integration platform for Kubernetes. In affected versions an authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user). This issue has been addressed in version 0.7.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-32192 1 Kubernetes 1 Apiserver 2024-10-16 8.3 High
A vulnerability has been identified in which unauthenticated cross-site scripting (XSS) in the API Server's public API endpoint can be exploited, allowing an attacker to execute arbitrary JavaScript code in the victim browser