GHSA-9CWV-CPPX-MQJM Improper Authentication in Capsule Proxy

Impact Using a malicious Connection header, an attacker with a proper authentication mechanism could start a privilege escalation towards the Kubernetes API Server, being able to exploit the cluster-admin Role bound to capsule-proxy. Patches Patch has been merged in the v0.2.1 release. Workaround...

CVE-2022-23652 Privilege escalation using hop-by-hop Connection header

capsule-proxy is a reverse proxy for Capsule Operator which provides multi-tenancy in Kubernetes. In versions prior to 0.2.1 an attacker with a proper authentication mechanism may use a malicious Connection header to start a privilege escalation attack towards the Kubernetes API Server. This...

PT-2022-2954 · Unknown · Capsule-Proxy

Name of the Vulnerable Software and Affected Versions: capsule-proxy versions prior to 0.2.1 Description: The issue is related to the capsule-proxy, a reverse proxy for Capsule Operator that provides multi-tenancy in Kubernetes. An attacker with proper authentication may use a malicious Connectio...

capsule-proxy 授权问题漏洞

The capsule-proxy is designed to allow overcoming the limitations of the Kubernetes API Server in listing the cluster-wide resources it owns, such as Namespace, Ingress and Storage Classes, Nodes, and other resources covered by the Capsule. A security vulnerability in capsule-proxy versions prior...

GHSA-82HX-W2R5-C2WQ Kubernetes API Server DoS Via API Requests

The Kubernetes API server component in Kubernetes versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests...

Access Restriction Bypass in kubernetes

The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object. Specific Go Packages Affected github.com/kubernetes/kubernetes/pkg/apiserver...

GHSA-579H-MV94-G4GP Privilege Escalation in Kubernetes

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary reques...

GHSA-XX8C-M748-XR4J Access Restriction Bypass in kubernetes

The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object. Specific Go Packages Affected github.com/kubernetes/kubernetes/pkg/apiserver...

Portainer code issue vulnerability

A code issue vulnerability exists in Portainer Agent, a lightweight user management interface for managing Docker environments and Docker hosts, which stems from the product's failure to associate Portainer instances with past time. An attacker could exploit the vulnerability to cause the API...

Allocation of Resources Without Limits or Throttling

The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests...

Information Disclosure

github.com/portainer/agent is vulnerable to information disclosure. The API server may continue running even after the associated Portainer instance connection is terminated allowing remote attackers to gain access to sensitive information...

CVE-2022-24961

In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days...

CVE-2022-24961

In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days...

CVE-2022-24961

Portainer Agent (before 2.11.1) contains a vulnerability where the API server can continue running even if not associated with a Portainer instance in the recent days. This issue affects the Portainer Agent and is reflected in CVSS metrics indicating a HIGH to CRITICAL impact (Network, Low attack...

CVE-2022-24961

In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days...

Unverified Ownership in Kubernetes

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status which is considered a privileged operation and should not...

Incorrect Authorization

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status which is considered a privileged operation and should not...

Why Security in Kubernetes Isn't the Same as in Linux: Part 2

Security for Kubernetes might not be quite the same as what you're used to. In our previous article, we covered why security is so important in both Linux on-premises servers and cloud Kubernetes clusters. We also talked about 3 major aspects of Linux server security — processes, network, and fil...

CVE-2020-8562 Bypass of Kubernetes API Server proxy TOCTOU

As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a...

CVE-2022-21860

Windows AppContracts API Server Elevation of Privilege Vulnerability...