KubeSec V1 Kubernetes Scanner

KubeSec is a Kubernetes security auditing tool designed to identify dangerous RBAC permissions, insecure pod configurations, exposed secrets, privileged workloads, risky host mounts, weak network exposure, and cluster hardening weaknesses across Kubernetes environments. performs automated read-on...

CVE-2026-6406

The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation ECI restrictions in Docker Desktop. When ECI is enabled, Docker socket mounts from containers are denied unless explicitly allowed via the admin-settings configuration. However, the --use-api-socket flag adds the Docker...

GHSA-9493-H29P-RFM2 runc container escape via "masked path" abuse due to mount race conditions

Impact The OCI runtime specification has a maskedPaths feature that allows for files or directories to be "masked" by placing a mount on top of them to conceal their contents. This is primarily intended to protect against privileged users in non-user-namespaced from being able to write to files o...

Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by a cri-o security vulnerability (CVE-2024-8676)

Summary Red Hat OpenShift on IBM Cloud is affected by a security vulnerability that may allow a malicious user to trick cri-o into restoring a pod that doesn't have CVE-2024-8676 Vulnerability Details CVEID: CVE-2024-8676 Description: A vulnerability was found in CRI-O, where it can be requested ...

Important: runc

Issue Overview: The runc package is vulnerable to a symlink exchange attack whereby an attacker can request a seemingly innocuous container configuration that results in the host filesystem being bind-mounted into the container. The highest threat from this vulnerability is to data confidentialit...

cri-o: Checkpoint restore can be triggered from different namespaces

A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the...

cri-o: Checkpoint restore can be triggered from different namespaces

A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the...

cri-o: Checkpoint restore can be triggered from different namespaces

A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the...

SUSE CVE-2024-8676

A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the...

AZL-53540 CVE-2024-8676 affecting package cri-o 1.30.1-1

A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the...

CVE-2024-8676

CVE-2024-8676 affects CRI-O; a checkpoint/restore sequence can cause mounts to be restored from the archive instead of the pod request, bypassing pod-mounted-access validations. This could let a remote attacker trick CRI-O/OpenShift into restoring a pod that lacks host mount access. Requirements:...

Buildah: Podman: Improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction

A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories...