CVE Daily
← All tags

Tag: Kubernetes

All CVEs associated with "Kubernetes". Page 5/5 • 515 CVEs.

Subscribe CVEs: RSS for “Kubernetes”  ·  RSS (High+Critical only)

About “Kubernetes”

A curated feed of “Kubernetes”-related CVEs appears below. We currently track 515 CVEs for this tag (all time). In the last 365 days, 162 were published. Average CVSS is 7.0 (all time; 7.3 over 365d), and 52% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-863 - Incorrect Authorization, CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor.

In our taxonomy this topic maps to a MODERATE impact class. Container and Kubernetes fixes usually require image rebuilds and control plane or node upgrades. Prioritize exposed surfaces, restart workloads on patched bases, and tighten RBAC and NetworkPolicies. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2019-07-31
Medium

CVE-2019-10365

Jenkins Google Kubernetes Engine Plugin 0.6.2 and earlier created a temporary file containing a temporary access token in the project workspace, where it could be accessed by users with Job/Read perm…

CVSS: 4.3 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
2019-07-30
Low

CVE-2019-10165

OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could re…

CVSS: 2.3 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2019-06-11
High

CVE-2019-10339

A missing permission check in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed users with Overall/Read access to have Jenkins connect to an attacke…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2019-10338

A cross-site request forgery vulnerability in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed attackers to have Jenkins connect to an attacker-spe…

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2019-05-17
Medium

CVE-2019-4119

IBM Cloud Private Kubernetes API server 2.1.0, 3.1.0, 3.1.1, and 3.1.2 can be used as an HTTP proxy to not only cluster internal but also external target IP addresses. IBM X-Force ID: 158145.

CVSS: 5.3 CWE: N/A View on NVD
2019-04-22
Medium

CVE-2019-11244

In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). I…

CVSS: 5.0 CWE: CWE-524 - Use of Cache Containing Sensitive Information View on NVD
High

CVE-2019-11243

In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certifi…

CVSS: 8.1 CWE: CWE-271 - Privilege Dropping / Lowering Errors View on NVD
2019-04-02
High

CVE-2019-9946

Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts…

CVSS: 7.5 CWE: CWE-670 - Always-Incorrect Control Flow Implementation View on NVD
2019-04-01
Medium

CVE-2019-1002101

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kub…

CVSS: 6.4 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
Medium

CVE-2019-1002100

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch…

CVSS: 6.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2019-03-28
High

CVE-2019-3869

When running Tower before 3.4.3 on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environment variables. A malicious user with the ability to write playbooks co…

CVSS: 7.2 CWE: CWE-214 - Invocation of Process Using Visible Sensitive Information View on NVD
2019-03-08
High

CVE-2019-3779

Cloud Foundry Container Runtime, versions prior to 0.29.0, deploys Kubernetes clusters utilize the same CA (Certificate Authority) to sign and trust certs for ETCD as used by the Kubernetes API. This…

CVSS: 8.8 CWE: CWE-284 - Improper Access Control View on NVD
2019-01-03
High

CVE-2018-18264

Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster.

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2018-12-05
Critical

CVE-2018-1002105

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to estab…

CVSS: 9.8 CWE: CWE-388 View on NVD
High

CVE-2018-1002103

In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000. In VM environments where the IP is easy to predict, the attacker can use DNS rebindi…

CVSS: 8.1 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2018-1002101

In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument inje…

CVSS: 5.9 CWE: N/A View on NVD
2018-12-04
Critical

CVE-2018-18843

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4.4 has SSRF.

CVSS: 10.0 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2018-10-09
High

CVE-2018-2475

Following the Gardener architecture, the Kubernetes apiserver of a Gardener managed shoot cluster resides in the corresponding seed cluster. Due to missing network isolation a shoot's apiserver can a…

CVSS: 8.5 CWE: N/A View on NVD
2018-09-10
High

CVE-2016-7075

It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authenticat…

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2018-08-01
High

CVE-2018-1999040

An exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.10.1 and earlier in KubernetesCloud.java that allows attackers to capture credentials with a known credentials…

CVSS: 8.8 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2018-07-31
High

CVE-2018-5543

The F5 BIG-IP Controller for Kubernetes 1.0.0-1.5.0 (k8s-bigip-crtl) passes BIG-IP username and password as command line parameters, which may lead to disclosure of the credentials used by the contai…

CVSS: 8.8 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2018-06-05
Medium

CVE-2018-1000187

A exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.7.0 and older in ContainerExecDecorator.java that results in sensitive variables such as passwords being writte…

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2018-06-02
Medium

CVE-2018-1002100

In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary…

CVSS: 4.2 CWE: CWE-20 - Improper Input Validation View on NVD
2018-05-18
High

CVE-2018-1000400

Kubernetes CRI-O version prior to 1.9 contains a Privilege Context Switching Error (CWE-270) vulnerability in the handling of ambient capabilities that can result in containers running with elevated…

CVSS: 8.8 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2018-5256

CoreOS Tectonic 1.7.x before 1.7.9-tectonic.4 and 1.8.x before 1.8.4-tectonic.3 mounts a direct proxy to the kubernetes cluster at /api/kubernetes/ which is accessible without authentication to Tecto…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2018-05-17
Critical

CVE-2018-0268

A vulnerability in the container management subsystem of Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to bypass authentication and gain elevated pri…

CVSS: 10.0 CWE: CWE-358 - Improperly Implemented Security Check for Standard View on NVD
2018-03-13
High

CVE-2017-1002102

In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary…

CVSS: 7.1 CWE: N/A View on NVD
High

CVE-2017-1002101

In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to…

CVSS: 8.8 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2017-09-14
Medium

CVE-2017-1002100

Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to "container" which exposes a URI that can be accessed witho…

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-08-07
Low

CVE-2015-7561

Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image.

CVSS: 3.1 CWE: CWE-264 View on NVD
2017-07-17
Critical

CVE-2017-1000056

Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability to make use of any existing PodSecurityPolicy object.

CVSS: 9.8 CWE: CWE-862 - Missing Authorization View on NVD
2016-08-05
Medium

CVE-2016-5392

The API server in Kubernetes, as used in Red Hat OpenShift Enterprise 3.2, in a multi tenant environment allows remote authenticated users with knowledge of other project names to obtain sensitive pr…

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-04-11
Medium

CVE-2015-7528

Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitrary pod logs via a container name.

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-02-03
High

CVE-2016-1905

The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object.

CVSS: 7.7 CWE: CWE-284 - Improper Access Control View on NVD
2015-11-06
Medium

CVE-2015-5305

Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handle…

CVSS: 6.4 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD