Kubernetes: Security Vulnerabilities
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
CVSS Score
6.5
EPSS Score
0.022
Published
2023-07-03
A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.
CVSS Score
3.4
EPSS Score
0.003
Published
2023-06-16
Kubernetes secrets-store-csi-driver in versions before 1.3.3 discloses service account tokens in logs.
CVSS Score
6.5
EPSS Score
0.004
Published
2023-06-07
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.
CVSS Score
7.6
EPSS Score
0.007
Published
2023-05-24
Windows workloads can run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true.
CVSS Score
7.8
EPSS Score
0.002
Published
2023-05-24
This vulnerability exposes a network port in minikube running on macOS with Docker driver that could enable unexpected remote access to the minikube container.
CVSS Score
9.8
EPSS Score
0.008
Published
2023-05-24
This vulnerability enables ssh access to minikube container using a default password.
CVSS Score
8.4
EPSS Score
0.002
Published
2023-05-24
Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.
CVSS Score
6.5
EPSS Score
0.012
Published
2023-03-01
Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.
CVSS Score
6.6
EPSS Score
0.016
Published
2023-03-01
Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
CVSS Score
7.1
EPSS Score
0.004
Published
2022-09-19