39 matches found
PT-2026-6528
Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern in github.com/rancher/local-path-provisioner...
GHSA-JR3W-9VFR-C746 Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern
Impact A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories. Example: apiVersion: storage.k8s.io/v1 kind: StorageClass metadata:...
Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern
Impact A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories. Example: apiVersion: storage.k8s.io/v1 kind: StorageClass metadata:...
PT-2026-6443
Impact A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories. Example: apiVersion: storage.k8s.io/v1 kind: StorageClass metadata:...
PT-2026-6543
Name of the Vulnerable Software and Affected Versions rancher.io/local-path-provisioner versions prior to 0.0.34 Description A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or...
CVE-2025-65637 affecting package local-path-provisioner for versions less than 0.0.21-20
CVE-2025-65637 affecting package local-path-provisioner for versions less than 0.0.21-20. A patched version of the package is available...
Azure Linux 3.0 Security Update: kubernetes / local-path-provisioner (CVE-2020-8565)
The version of kubernetes / local-path-provisioner installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2020-8565 advisory. - In Kubernetes, if the logging level is set to at least 9, authorization and bear...
CVE-2020-8565 affecting package local-path-provisioner for versions less than 0.0.24-5
CVE-2020-8565 affecting package local-path-provisioner for versions less than 0.0.24-5. A patched version of the package is available...
CVE-2023-44487 affecting package local-path-provisioner for versions less than 0.0.21-12
CVE-2023-44487 affecting package local-path-provisioner for versions less than 0.0.21-12. A patched version of the package is available...
CVE-2023-39325 affecting package local-path-provisioner for versions less than 0.0.24-3
CVE-2023-39325 affecting package local-path-provisioner for versions less than 0.0.24-3. A patched version of the package is available...
CVE-2023-45288 affecting package local-path-provisioner for versions less than 0.0.24-3
CVE-2023-45288 affecting package local-path-provisioner for versions less than 0.0.24-3. A patched version of the package is available...
AZL-38488 CVE-2023-45288 affecting package local-path-provisioner for versions less than 0.0.24-3
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...
CVE-2024-24786 vulnerabilities
Vulnerabilities for packages: doppler-kubernetes-operator, aactl, logstash-exporter-fips, prometheus-mongodb-exporter-fips, nats, bank-vaults-fips, temporal-ui-server-fips, kor, flux-kustomize-controller, stakater-reloader, aws-load-balancer-controller, caddy-fips, flux, cadvisor, eksctl, mc, buf...
CVE-2022-21698 affecting package local-path-provisioner for versions less than 0.0.21-14
CVE-2022-21698 affecting package local-path-provisioner for versions less than 0.0.21-14. A patched version of the package is available...
AZL-34963 CVE-2023-39325 affecting package local-path-provisioner for versions less than 0.0.24-3
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...
AZL-34964 CVE-2023-44487 affecting package local-path-provisioner for versions less than 0.0.21-12
The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...
AZL-31324 CVE-2023-44487 affecting package local-path-provisioner for versions less than 0.0.21-12
The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...
AZL-33612 CVE-2021-44716 affecting package local-path-provisioner for versions less than 0.0.21-16
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests...
AZL-41878 CVE-2020-8565 affecting package local-path-provisioner for versions less than 0.0.24-5
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects = v1.19.3, = v1.18.10, = v1.17.13, v1.20.0-alpha2...