CVE Daily
← All tags

Tag: Kubernetes

All CVEs associated with "Kubernetes". Page 3/5 • 515 CVEs.

Subscribe CVEs: RSS for “Kubernetes”  ·  RSS (High+Critical only)

About “Kubernetes”

A curated feed of “Kubernetes”-related CVEs appears below. We currently track 515 CVEs for this tag (all time). In the last 365 days, 162 were published. Average CVSS is 7.0 (all time; 7.3 over 365d), and 52% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-863 - Incorrect Authorization, CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor.

In our taxonomy this topic maps to a MODERATE impact class. Container and Kubernetes fixes usually require image rebuilds and control plane or node upgrades. Prioritize exposed surfaces, restart workloads on patched bases, and tighten RBAC and NetworkPolicies. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2024-05-15
Medium

CVE-2024-31216

The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller impleme…

CVSS: 5.1 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2024-05-14
Medium

CVE-2024-32476

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched i…

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2024-04-29
Medium

CVE-2024-33522

In vulnerable versions of Calico (v3.27.2 and below), Calico Enterprise (v3.19.0-1, v3.18.1, v3.17.3 and below), and Calico Cloud (v19.2.0 and below), an attacker who has local access to the Kubernet…

CVSS: 6.7 CWE: CWE-269 - Improper Privilege Management View on NVD
2024-04-22
Low

CVE-2024-3177

A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containe…

CVSS: 2.7 CWE: CWE-20 - Improper Input Validation View on NVD
2024-04-15
Medium

CVE-2024-31990

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should…

CVSS: 4.8 CWE: CWE-863 - Incorrect Authorization View on NVD
2024-04-12
Medium

CVE-2024-31391

Insertion of Sensitive Information into Log File vulnerability in the Apache Solr Operator. This issue affects all versions of the Apache Solr Operator from 0.3.0 through 0.8.0. When asked to boots…

CVSS: 6.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2024-04-09
Critical

CVE-2024-29990

Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability

CVSS: 9.0 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2024-28917

Azure Arc-enabled Kubernetes Extension Cluster-Scope Elevation of Privilege Vulnerability

CVSS: 6.2 CWE: CWE-284 - Improper Access Control View on NVD
2024-04-04
High

CVE-2024-25699

There is a difficult‑to‑exploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 11.2 and below on Windows and Linux, and ArcGIS Enterprise versions 11.1 and…

CVSS: 8.5 CWE: CWE-287 - Improper Authentication View on NVD
2024-03-29
Medium

CVE-2024-29893

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Serv…

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2024-03-21
High

CVE-2024-29031

Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2024-03-20
Critical

CVE-2024-29037

datahub-helm provides the Kubernetes Helm charts for deploying Datahub and its dependencies on a Kubernetes cluster. Starting in version 0.1.143 and prior to version 0.2.182, due to configuration iss…

CVSS: 9.1 CWE: CWE-1394 - Use of Default Cryptographic Key View on NVD
2024-03-18
High

CVE-2024-21662

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by…

CVSS: 7.5 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
High

CVE-2024-21661

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial…

CVSS: 7.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
Critical

CVE-2024-21652

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Servic…

CVSS: 9.8 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
2024-03-15
Medium

CVE-2023-51699

Fluid is an open source Kubernetes-native Distributed Dataset Orchestrator and Accelerator for data-intensive applications. An OS command injection vulnerability within the Fluid project's JuicefsRun…

CVSS: 4.0 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2024-03-13
Critical

CVE-2024-28175

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the applicatio…

CVSS: 9.0 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2023-50726

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-def…

CVSS: 6.4 CWE: CWE-269 - Improper Privilege Management View on NVD
2024-03-12
High

CVE-2022-34321

Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics abo…

CVSS: 8.2 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2024-21400

Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability

CVSS: 9.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2024-02-21
High

CVE-2024-26147

Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. Wh…

CVSS: 7.5 CWE: CWE-457 - Use of Uninitialized Variable View on NVD
2024-02-15
Medium

CVE-2024-25620

Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file incl…

CVSS: 6.4 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2024-02-13
Critical

CVE-2024-21403

Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability

CVSS: 9.0 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
Critical

CVE-2024-21376

Microsoft Azure Kubernetes Service Confidential Container Remote Code Execution Vulnerability

CVSS: 9.0 CWE: CWE-284 - Improper Access Control View on NVD
2024-01-24
Medium

CVE-2023-51702

Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it…

CVSS: 6.5 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2024-01-19
High

CVE-2024-22424

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF)…

CVSS: 8.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2024-01-09
Medium

CVE-2023-6476

A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kuberne…

CVSS: 6.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2024-01-03
Medium

CVE-2023-30617

Kruise provides automated management of large-scale applications on Kubernetes. Starting in version 0.8.0 and prior to versions 1.3.1, 1.4.1, and 1.5.2, an attacker who has gained root privilege of t…

CVSS: 6.5 CWE: CWE-250 - Execution with Unnecessary Privileges View on NVD
2023-11-28
Medium

CVE-2023-48713

Knative Serving builds on Kubernetes to support deploying and serving of applications and functions as serverless containers. An attacker who controls a pod to a degree where they can control the res…

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2023-11-24
Critical

CVE-2023-48312

capsule-proxy is a reverse proxy for the capsule operator project. Affected versions are subject to a privilege escalation vulnerability which is based on a missing check if the user is authenticated…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
2023-11-14
High

CVE-2023-5528

A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters…

CVSS: 7.2 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2023-47630

Kyverno is a policy engine designed for Kubernetes. An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker…

CVSS: 7.1 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2023-11-13
Medium

CVE-2023-42816

Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary…

CVSS: 6.1 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
Low

CVE-2023-42815

Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary…

CVSS: 3.1 CWE: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop') View on NVD
Low

CVE-2023-42814

Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerable component in Kyvernos Nota…

CVSS: 3.1 CWE: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop') View on NVD
Medium

CVE-2023-42813

Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerable component in Kyvernos Nota…

CVSS: 6.1 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2023-11-07
Medium

CVE-2023-0436

The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue af…

CVSS: 4.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2023-11-06
Medium

CVE-2023-46254

capsule-proxy is a reverse proxy for Capsule kubernetes multi-tenancy framework. A bug in the RoleBinding reflector used by `capsule-proxy` gives ServiceAccount tenant owners the right to list Namesp…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-11-03
High

CVE-2023-3893

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes running kubernetes-csi-proxy may be able to escalate to admin privileges on those nodes. Kubernetes…

CVSS: 8.8 CWE: CWE-20 - Improper Input Validation View on NVD
2023-11-02
High

CVE-2023-5408

A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from…

CVSS: 7.2 CWE: CWE-269 - Improper Privilege Management View on NVD
2023-10-31
High

CVE-2023-3955

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if…

CVSS: 8.8 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2023-3676

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if…

CVSS: 8.8 CWE: CWE-20 - Improper Input Validation View on NVD
2023-10-25
High

CVE-2023-5044

Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.

CVSS: 7.6 CWE: CWE-20 - Improper Input Validation View on NVD
2023-10-09
High

CVE-2023-44392

Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an…

CVSS: 8.2 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2023-10-04
High

CVE-2023-3361

A flaw was found in Red Hat OpenShift Data Science. When exporting a pipeline from the Elyra notebook pipeline editor as Python DSL or YAML, it reads S3 credentials from the cluster (ds pipeline serv…

CVSS: 7.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-09-27
Medium

CVE-2023-40026

Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a speci…

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2023-41333

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to create or modify CiliumNetworkPolicy objects in a particular namespace is ab…

CVSS: 6.9 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2023-39347

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to update pod labels can cause Cilium to apply incorrect network policies. This…

CVSS: 7.6 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2023-09-15
High

CVE-2023-0923

A flaw was found in the Kubernetes service for notebooks in RHODS, where it does not prevent pods from other namespaces and applications from making requests to the Jupyter API. This flaw can lead to…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
2023-09-12
High

CVE-2023-29332

Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability

CVSS: 7.5 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
2023-09-07
Medium

CVE-2023-40584

Argo CD is a declarative continuous deployment for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack…

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Critical

CVE-2023-40029

Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kub…

CVSS: 9.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-08-23
Medium

CVE-2023-40025

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allow…

CVSS: 4.7 CWE: CWE-613 - Insufficient Session Expiration View on NVD
2023-07-21
Critical

CVE-2023-37917

KubePi is an opensource kubernetes management panel. A normal user has permission to create/update users, they can become admin by editing the `isadmin` value in the request. As a result any user may…

CVSS: 9.1 CWE: CWE-269 - Improper Privilege Management View on NVD
Medium

CVE-2023-37916

KubePi is an opensource kubernetes management panel. The endpoint /kubepi/api/v1/users/search?pageNum=1&&pageSize=10 leak password hash of any user (including admin). A sufficiently motivated attacke…

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-07-03
Medium

CVE-2023-2728

Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a…

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2023-2727

Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admissio…

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
2023-06-29
Critical

CVE-2023-33190

Sealos is an open source cloud operating system distribution based on the Kubernetes kernel. In versions of Sealos prior to 4.2.1-rc4 an improper configuration of role based access control (RBAC) per…

CVSS: 9.9 CWE: CWE-287 - Improper Authentication View on NVD
2023-06-23
Medium

CVE-2023-35165

AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. In the packages `aws-cdk-lib`…

CVSS: 6.6 CWE: CWE-863 - Incorrect Authorization View on NVD
2023-06-15
Low

CVE-2023-34242

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to version 1.13.4, when Gateway API is enabled in Cilium, the absence of a check on the namespace in w…

CVSS: 3.4 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-06-07
Medium

CVE-2023-2878

Kubernetes secrets-store-csi-driver in versions before 1.3.3 discloses service account tokens in logs.

CVSS: 6.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2023-06-01
Medium

CVE-2023-34091

Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existin…

CVSS: 6.5 CWE: CWE-285 - Improper Authorization View on NVD
Critical

CVE-2023-22647

An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate Kubernetes secrets in the local cluster, resulting in the s…

CVSS: 9.9 CWE: CWE-267 - Privilege Defined With Unsafe Actions View on NVD
2023-05-30
High

CVE-2023-33234

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a…

CVSS: 7.2 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Medium

CVE-2023-33191

Kyverno is a policy engine designed for Kubernetes. Kyverno seccomp control can be circumvented. Users of the podSecurity `validate.podSecurity` subrule in Kyverno 1.9.2 and 1.9.3 are vulnerable. Thi…

CVSS: 4.6 CWE: CWE-284 - Improper Access Control View on NVD
2023-05-08
Medium

CVE-2023-30840

Fluid is an open source Kubernetes-native distributed dataset orchestrator and accelerator for data-intensive applications. Starting in version 0.7.0 and prior to version 0.8.6, if a malicious user g…

CVSS: 5.8 CWE: CWE-863 - Incorrect Authorization View on NVD
2023-05-04
Critical

CVE-2023-22651

Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook.…

CVSS: 9.9 CWE: CWE-269 - Improper Privilege Management View on NVD
2023-04-26
Medium

CVE-2023-30841

Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deplo…

CVSS: 6.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-04-24
Medium

CVE-2023-2250

A flaw was found in the Open Cluster Management (OCM) when a user have access to the worker nodes which has the cluster-manager-registration-controller or cluster-manager deployments. A malicious use…

CVSS: 6.7 CWE: CWE-268 - Privilege Chaining View on NVD
Medium

CVE-2023-30622

Clusternet is a general-purpose system for controlling Kubernetes clusters across different environments. An issue in clusternet prior to version 0.15.2 can be leveraged to lead to a cluster-level pr…

CVSS: 6.7 CWE: CWE-269 - Improper Privilege Management View on NVD
2023-04-15
Medium

CVE-2018-17450

An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is Server-Side Request Forgery (SSRF) via the Kubernetes integr…

CVSS: 4.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2023-04-12
High

CVE-2023-30513

Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

CVSS: 7.5 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2023-30512

CubeFS through 3.2.1 allows Kubernetes cluster-level privilege escalation. This occurs because DaemonSet has cfs-csi-cluster-role and can thus list all secrets, including the admin secret.

CVSS: 6.5 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2023-03-22
Medium

CVE-2023-28114

`cilium-cli` is the command line interface to install, manage, and troubleshoot Kubernetes clusters running Cilium. Prior to version 0.13.2,`cilium-cli`, when used to configure cluster mesh functiona…

CVSS: 4.8 CWE: CWE-280 - Improper Handling of Insufficient Permissions or Privileges View on NVD
2023-03-17
Medium

CVE-2023-27595

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In version 1.13.0, when Cilium is started, there is a short period when Cilium eBPF programs are not attache…

CVSS: 6.5 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
Medium

CVE-2023-27593

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, an attacker with access to a Cilium agent pod can write to `/…

CVSS: 4.4 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2023-03-16
Medium

CVE-2023-28110

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, refactoring coco's SSH/SFTP service and Web Terminal service. Prior to version 2.2…

CVSS: 5.7 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2023-03-15
High

CVE-2023-26484

KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is run…

CVSS: 8.2 CWE: CWE-863 - Incorrect Authorization View on NVD
2023-03-09
Medium

CVE-2023-27484

crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. In affected versions an already highly privileged user able to create or update…

CVSS: 6.2 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2023-27483

crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. An out of memory panic vulnerability has been discovered in affected versions. A…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD
2023-03-01
Medium

CVE-2022-3294

Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes…

CVSS: 6.6 CWE: CWE-20 - Improper Input Validation View on NVD
2023-02-28
Medium

CVE-2023-1065

This vulnerability in the Snyk Kubernetes Monitor can result in irrelevant data being posted to a Snyk Organization, which could in turn obfuscate other, relevant, security issues. It does not expose…

CVSS: 6.5 CWE: CWE-287 - Improper Authentication View on NVD
2023-02-16
Critical

CVE-2023-23947

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper aut…

CVSS: 9.1 CWE: CWE-863 - Incorrect Authorization View on NVD
2023-02-13
Medium

CVE-2023-24619

Redpanda before 22.3.12 discloses cleartext AWS credentials. The import functionality in the rpk binary logs an AWS Access Key ID and Secret in cleartext to standard output, allowing a local user to…

CVSS: 5.5 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2023-02-08
Medium

CVE-2023-25163

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in…

CVSS: 6.3 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
Medium

CVE-2023-25165

Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-01-26
Medium

CVE-2023-24425

Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permissio…

CVSS: 6.5 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2023-22736

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass…

CVSS: 8.5 CWE: CWE-862 - Missing Authorization View on NVD
Critical

CVE-2023-22482

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper au…

CVSS: 9.0 CWE: CWE-863 - Incorrect Authorization View on NVD
2023-01-14
High

CVE-2023-22480

KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces…

CVSS: 7.3 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2023-22478

KubePi is a modern Kubernetes panel. The API interfaces with unauthorized entities and may leak sensitive information. This issue has been patched in version 1.6.4. There are currently no known worka…

CVSS: 7.3 CWE: CWE-862 - Missing Authorization View on NVD
2023-01-13
High

CVE-2022-3841

RHACM: unauthenticated SSRF in console API endpoint. A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (…

CVSS: 7.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2023-01-10
High

CVE-2023-22479

KubePi is a modern Kubernetes panel. A session fixation attack allows an attacker to hijack a legitimate user session, versions 1.6.3 and below are susceptible. A patch will be released in version 1.…

CVSS: 7.5 CWE: CWE-384 - Session Fixation View on NVD
2023-01-09
High

CVE-2022-23509

Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. GitOps run has a local S3 bucket which it uses for synchro…

CVSS: 7.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2022-23508

Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in GitOps run could allow a local user or…

CVSS: 8.8 CWE: CWE-284 - Improper Access Control View on NVD
2022-12-23
High

CVE-2022-47633

An image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4 allows a malicious image registry (or a man-in-the-middle attacker) to inject unsigned arbitrary container images into a…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
2022-12-21
Medium

CVE-2022-23551

aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates…

CVSS: 5.3 CWE: CWE-863 - Incorrect Authorization View on NVD
2022-12-15
Medium

CVE-2022-23526

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation viola…

CVSS: 5.3 CWE: CWE-476 - NULL Pointer Dereference View on NVD
Medium

CVE-2022-23525

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler t…

CVSS: 5.3 CWE: CWE-476 - NULL Pointer Dereference View on NVD
Medium

CVE-2022-23524

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions…

CVSS: 5.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2022-12-07
Medium

CVE-2022-23471

containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to ha…

CVSS: 5.7 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2022-12-02
High

CVE-2022-46167

Capsule is a multi-tenancy and policy-based framework for Kubernetes. Prior to version 0.1.3, a ServiceAccount deployed in a Tenant Namespace, when granted with `PATCH` capabilities on its own Namesp…

CVSS: 8.8 CWE: CWE-863 - Incorrect Authorization View on NVD
2022-11-27
Critical

CVE-2022-45933

KubeView through 0.1.31 allows attackers to obtain control of a Kubernetes cluster because api/scrape/kube-system does not require authentication, and retrieves certificate files that can be used for…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2022-11-19
Medium

CVE-2022-41939

knative.dev/func is is a client library and CLI enabling the development and deployment of Kubernetes functions. Developers using a malicious or compromised third-party buildpack could expose their r…

CVSS: 6.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2022-10-22
Medium

CVE-2022-39272

Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either t…

CVSS: 5.0 CWE: CWE-1284 - Improper Validation of Specified Quantity in Input View on NVD
2022-10-13
High

CVE-2022-39278

Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection. Prior to versions 1.15.2, 1.14.5, and 1.13.9, the Istio control plan…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2022-10-11
Critical

CVE-2022-37968

Microsoft has identified a vulnerability affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters. This vulnerability could allow an unauthenticated user to elevate their privil…

CVSS: 10.0 CWE: N/A View on NVD
2022-09-13
High

CVE-2022-36103

Talos Linux is a Linux distribution built for Kubernetes deployments. Talos worker nodes use a join token to get accepted into the Talos cluster. Due to improper validation of the request while signi…

CVSS: 7.2 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2022-09-07
High

CVE-2022-36049

Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases.…

CVSS: 7.7 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Critical

CVE-2021-36782

A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes AP…

CVSS: 9.9 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2022-09-01
Medium

CVE-2022-2238

A vulnerability was found in the search-api container in Red Hat Advanced Cluster Management for Kubernetes when a query in the search filter gets parsed by the backend. This flaw allows an attacker…

CVSS: 6.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2022-1902

A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifie…

CVSS: 8.8 CWE: CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere View on NVD
Medium

CVE-2022-36055

Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cau…

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2022-08-31
High

CVE-2022-36035

Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy. Flux CLI allows…

CVSS: 7.7 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2022-08-29
Medium

CVE-2022-31677

An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use the…

CVSS: 5.4 CWE: CWE-613 - Insufficient Session Expiration View on NVD
2022-08-24
Medium

CVE-2021-4178

A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privil…

CVSS: 6.7 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2022-08-18
Medium

CVE-2022-35976

The GitOps Tools Extension for VSCode relies on kubeconfigs in order to communicate with Kubernetes clusters. A specially crafted kubeconfig leads to arbitrary code execution on behalf of the user ru…

CVSS: 5.2 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2022-08-04
High

CVE-2022-35930

PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it s…

CVSS: 7.1 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2022-07-12
High

CVE-2022-31105

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation…

CVSS: 8.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
Low

CVE-2022-31102

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting (XSS) bug which could allow…

CVSS: 2.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD