azure-file-csi-driver discloses service account tokens in logs

CVSS Rating: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N - MEDIUM 6.5 A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to...

Insufficient input sanitization on Windows nodes leads to privilege escalation

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - HIGH 8.8 A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes. Am...

ingress-nginx controller configuration injection via unsanitized auth-tls-match-cn annotation

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Score: 8.8, High A security issue was discovered in ingress-nginx where the \auth-tls-match-cn\ Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-ngin...

Node Denial of Service via kubelet Checkpoint API

CVSS Rating: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk. Am I vulnerable?...

ingress-nginx path sanitization can be bypassed

Issue Details A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use directives to bypass the sanitization of the spec.rules.http.paths.path field of an Ingress object in the networking.k8s.io or extensions API group to obtain the credentia...

Symlink Exchange Can Allow Host Filesystem Access

A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. This issue has been rated High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and assigned...

ingress-nginx comment-based nginx configuration injection

CVSS Rating: 8.8 Medium CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller...

VM images built with Kubernetes Image Builder Nutanix or OVA providers use default credentials for Windows images if user did not override

CVSS Rating High 7.5: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the Windows image build process when using the Nutanix or VMware OVA providers. These credentials, which allow root acces...

Nodes can bypass dynamic resource allocation authorization checks

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L - Low 2.7 A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly...

ingress-nginx admission controller RCE escalation

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Score: 9.8, Critical A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx...

ingress-nginx controller configuration injection via unsanitized mirror annotations

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Score: 8.8, High A security issue was discovered in ingress-nginx where the \mirror-target\ and \mirror-host\ Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the...

Arbitrary command execution through gitRepo volume

A security vulnerability was discovered in Kubernetes that could allow a user with the ability to create a pod and associate a gitRepo volume to execute arbitrary commands beyond the container boundary. This vulnerability leverages the hooks folder in the target repository to run arbitrary comman...

Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N - Low 2.7 A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and...

Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - HIGH 7.2 A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they ar...

Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation

Issue Details A security issue was identified in ingress-nginx where the nginx.ingress.kubernetes.io/permanent-redirect annotation on an Ingress object in the networking.k8s.io or extensions API group can be used to inject arbitrary commands, and obtain the credentials of the ingress-nginx...

Insufficient input sanitization on Windows nodes leads to privilege escalation

CVSS Rating: CVSS:3.1/av:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - HIGH 8.8 A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes. Am...

Bypass of seccomp profile enforcement

What happened? A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. This issue has been rated LOW CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N score: 3.4. If you have pods in your cluster that use localhost type for seccomp profile but specify an...

Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin

CVE-2023-2727: Bypassing policies imposed by the ImagePolicyWebhook admission plugin CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N A security issue was discovered in Kubernetes where users may be able to launch containers using images that are restricted by ImagePolicyWebhook when usi...

secrets-store-csi-driver discloses service account tokens in logs

A security issue was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged...

Node address isn't always verified when proxying

CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them...

Aggregated API server can cause clients to be redirected (SSRF)

CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L 5.1, medium A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This could lead to the client performing unexpected actions as well as forwarding the client's API...

Ingress-nginx `path` sanitization can be bypassed with newline character

Issue Details A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the spec.rules.http.paths.path field of an Ingress object in the networking.k8s.io or extensions API group to obtain the...

Holes in EndpointSlice Validation Enable Host Network Hijack

Issue Details A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs. Th...

Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9

CVSS Rating: 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Medium In Kubernetes, if the logging level is to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. Am I vulnerable? If kube-apiserver i...

Node disk DOS by writing to container /etc/hosts

CVSS Rating: Medium 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/CR:H/IR:H/AR:M The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it...

Half-Blind SSRF in kube-controller-manager

CVSS Rating: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N There exists a Server Side Request Forgery SSRF vulnerability in kube-controller-manager that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network such...

kubectl cp symlink vulnerability

A security issue was discovered in kubectl versions v1.13.10, v1.14.6, and v1.15.3. The issue is of a medium severity and upgrading of kubectl is encouraged to fix the vulnerability. Am I vulnerable? Run kubectl version --client and if it returns versions v1.13.10, v1.14.6, and v1.15.3, you are...

/debug/pprof exposed on kubelet's healthz port

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration. If you are exposed we recommend upgrading to at least on...

Kubectl copy doesn't check for paths outside of it's destination directory.

Is this a BUG REPORT or FEATURE REQUEST?: Bug /kind bug What happened: kubectl cp :/some/remote/dir /some/local/dir If the container returns a malformed tarfile with paths like: '/some/remote/dir/../../../../tmp/foo' kubectl writes this to /tmp/foo instead of /some/local/dir/tmp/foo What you...

atomic writer volume handling allows arbitrary file deletion in host filesystem

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H This vulnerability allows containers using a secret, configMap, projected or downwardAPI volume to trigger deletion of arbitrary files and directories on the nodes where they are running. Thanks to Joel Smith of Red Hat for reporting this problem...

ingress-nginx auth-proxy-set-headers nginx configuration injection

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H A security issue was discovered in ingress-nginx where the nginx.ingress.kubernetes.io/auth-proxy-set-headers Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of th...

ingress-nginx auth-url protection bypass

CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N A security issue was discovered in ingress-nginx where the protection afforded by the auth-url Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a...

ingress-nginx auth-method nginx configuration injection

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H A security issue was discovered in ingress-nginx where the nginx.ingress.kubernetes.io/auth-method Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the...

Credential caching in Headlamp with Helm enabled

Original tracking issue: https://github.com/kubernetes-sigs/headlamp/issues/4282 CVSS Rating: High 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Description of vulnerability A security issue was discovered in the in-cluster version of Headlamp where unauthenticated users may be able to reuse...

Portworx Half-Blind SSRF in kube-controller-manager

CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N - Medium 5.8 A half-blind Server Side Request Forgery SSRF vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This was patched for other in-tree StorageClasses GlusterFS, Quobyte, StorageOS, and...

Kubernetes C# Client: improper certificate validation in custom CA mode may lead to man-in-the-middle attacks

CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N — Medium 6.8 A vulnerability exists in the Kubernetes C client where the certificate validation logic accepts properly constructed certificates from any Certificate Authority CA without properly verifying the trust chain. This flaw allows ...

secrets-store-sync-controller discloses service account tokens in logs

A security issue was discovered in secrets-store-sync-controller where an actor with access to the controller logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are onl...

Nodes can delete themselves by adding an OwnerReference

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L - Medium 6.7 A vulnerability exists in the NodeRestriction admission controller where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference...

ingress-nginx controller configuration injection via unsanitized auth-url annotation

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Score: 8.8, High A security issue was discovered in ingress-nginx where the \auth-url\ Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx...

ingress-nginx controller auth secret file path traversal vulnerability

CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L Score: 4.8, Medium A security issue was discovered in ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This coul...

GitRepo Volume Inadvertent Local Repository Access

Issue Details A security vulnerability was discovered in Kubernetes that could allow a user with create pod permission to exploit gitRepo volumes to access local git repositories belonging to other pods on the same node. This issue has been rated Medium CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:...

Command Injection affecting Windows nodes via nodes/*/logs/query API

Hello Kubernetes Community, A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host. This issue has been rated Medium with a CVSS v3.1 score of 5.9...

VM images built with Image Builder with some providers use default credentials during builds

CVSS Rating: CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The...

VM images built with Image Builder and Proxmox provider use default credentials

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process. Additionally, virtual machine images built using the Proxmox provider do not disable these default...

Ingress-nginx Annotation Validation Bypass

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects in the networking.k8s.io or extensions API group can bypass annotation validation to inject arbitrary commands and obtain the...

Network restriction bypass via race condition during namespace termination

CVSS Rating: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N - Low 3.1 A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace...

Incorrect permissions on Windows containers logs

CVSS Rating: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N - MEDIUM 6.1 A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and NT AUTHORITY\Authenticated Users may be able to modify container logs. This issue has been...

Ingress nginx annotation injection causes arbitrary command execution

Issue Details A security issue was identified in ingress-nginx where the nginx.ingress.kubernetes.io/configuration-snippet annotation on an Ingress object in the networking.k8s.io or extensions API group can be used to inject arbitrary commands, and obtain the credentials of the ingress-nginx...

Insufficient input sanitization on kubernetes-csi-proxy leads to privilege escalation

CVSS Rating: CVSS:3.1/av:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - HIGH 8.8 A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes running kubernetes-csi-proxy may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if...

Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin

CVE-2023-2727: Bypassing policies imposed by the ImagePolicyWebhook admission plugin CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N A security issue was discovered in Kubernetes where users may be able to launch containers using images that are restricted by ImagePolicyWebhook when usi...