68 matches found
CVE-2018-9090
CoreOS Tectonic 1.7.x and 1.8.x before 1.8.7-tectonic.2 deploys the Grafana web application using default credentials admin/admin for the administrator account located at grafana-credentials secret. This occurs because CoreOS does not randomize the administrative password to later be configured b...
CVE-2018-9090
CVE-2018-9090 affects CoreOS Tectonic 1.7.x and 1.8.x prior to 1.8.7-tectonic.2, where Grafana runs with administrator credentials (admin/admin) stored in the grafana-credentials secret because passwords are not randomized for administrator configuration. This enables an attacker to inject an XSS...
CoreOS Tectonic Information Disclosure Vulnerability
CoreOS Tectonic is an automated enterprise Kubernetes platform. The platform automates operational tasks, enabling platform portability and multi-cluster management. An information disclosure vulnerability exists in CoreOS Tectonic version 1.7.x before 1.7.9-tectonic.4 and version 1.8.x before...
Authorization
CoreOS Tectonic 1.7.x before 1.7.9-tectonic.4 and 1.8.x before 1.8.4-tectonic.3 mounts a direct proxy to the kubernetes cluster at /api/kubernetes/ which is accessible without authentication to Tectonic and allows an attacker to directly connect to the kubernetes API server. Unauthenticated users...
CVE-2018-5256
CoreOS Tectonic 1.7.x before 1.7.9-tectonic.4 and 1.8.x before 1.8.4-tectonic.3 mounts a direct proxy to the kubernetes cluster at /api/kubernetes/ which is accessible without authentication to Tectonic and allows an attacker to directly connect to the kubernetes API server. Unauthenticated users...
CVE-2018-5256
CoreOS Tectonic 1.7.x before 1.7.9-tectonic.4 and 1.8.x before 1.8.4-tectonic.3 mounts a direct proxy to the kubernetes cluster at /api/kubernetes/ which is accessible without authentication to Tectonic and allows an attacker to directly connect to the kubernetes API server. Unauthenticated users...
CVE-2018-5256
CoreOS Tectonic 1.7.x before 1.7.9-tectonic.4 and 1.8.x before 1.8.4-tectonic.3 mounts a direct proxy to the kubernetes cluster at /api/kubernetes/ which is accessible without authentication to Tectonic and allows an attacker to directly connect to the kubernetes API server. Unauthenticated users...
CVE-2018-5256
CoreOS Tectonic information disclosure: A vulnerable proxy surface is exposed in Tectonic 1.7.x before 1.7.9-tectonic.4 and 1.8.x before 1.8.4-tectonic.3. A direct proxy to the Kubernetes API server at /api/kubernetes/ is mounted without authentication, enabling unauthenticated access and listing...