Symlink Exchange Can Allow Host Filesystem Access

A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. This issue has been rated High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and assigned...

Webhook redirect in kube-apiserver

A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the lo...

Endpoint & EndpointSlice permissions allow cross-Namespace forwarding

A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack. This issue has been rated Low severity CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, and assigned CVE-2021-25740. Am I...

Holes in EndpointSlice Validation Enable Host Network Hijack

Issue Details A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs. Th...

Bypass of Kubernetes API Server proxy TOCTOU

CVSS Rating: Low CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N A security issue was discovered in Kubernetes where an authorized user may be able to access private networks on the Kubernetes control plane components. Kubernetes clusters are only affected if an untrusted user can create or modify...

Processes may panic upon receipt of malicious protobuf messages

Issue Details A security issue was discovered in code generated by the gogo protobuf compiler used by Kubernetes. The gogo protobuf compiler issue has been assigned CVE-2021-3121 and is also known as the “skippy peanut butter bug”. A program which uses affected code to handle a malicious protobuf...

Validating Admission Webhook does not observe some previous fields

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. You are only affected by this vulnerability if you run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node...

Man in the middle using LoadBalancer or ExternalIPs

CVSS Rating: Medium CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L This issue affects multitenant clusters. If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods or nodes in the cluster. An attacker that is able to create a...

Ceph RBD adminSecrets exposed in logs when loglevel >= 4

CVSS Rating: 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Medium In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD...

Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9

CVSS Rating: 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Medium In Kubernetes, if the logging level is to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. Am I vulnerable? If kube-apiserver i...

Docker config secrets leaked when file is malformed and log level >= 4

CVSS Rating: 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Medium In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry...

Secret leaks in kube-controller-manager when using vSphere provider

CVSS Rating: 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Medium In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. Am I vulnerable? If you are using VSphere as a clo...

Node disk DOS by writing to container /etc/hosts

CVSS Rating: Medium 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/CR:H/IR:H/AR:M The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it...

Privilege escalation from compromised node to cluster

CVSS Rating: Medium 6.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H If an attacker is able to intercept certain requests to the Kubelet, they can send a redirect response that may be followed by a client using the credentials from the original request. This can lead to compromise of other nodes...

Node setting allows for neighboring hosts to bypass localhost boundary

CVSS Rating: In typical clusters: medium 5.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N In clusters where API server insecure port has not been disabled: high 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H A security issue was discovered in kube-proxy which allows adjacent hosts to reach TCP...

Half-Blind SSRF in kube-controller-manager

CVSS Rating: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N There exists a Server Side Request Forgery SSRF vulnerability in kube-controller-manager that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network such...

IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements

CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L 6.0 Medium A cluster configured to use an affected container networking implementation is susceptible to man-in-the-middle MitM attacks. By sending “rogue” router advertisements, a malicious container can reconfigure the host to redirect...

kube-apiserver Denial of Service vulnerability from malicious YAML payloads

CVE-2019-11254 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML payloads to cause kube-apiserver to consume excessive CPU cycles while parsing YAML. The issue was discovered via the fuzz test kubernetes/kubernetes83750. Affected...

apiserver DoS (oom)

CVSS Rating: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Medium The Kubernetes API server has been found to be vulnerable to a denial of service attack via authorized API requests. Am I vulnerable? If an attacker that can make an authorized resource request to an unpatched API server see below,...

Kubelet DoS via API

CVSS Rating: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Medium The Kubelet has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port...

ingress-nginx auth-type basic annotation vulnerability

A security issue was discovered in ingress-nginx versions older than v0.28.0. The issue is of medium severity, and upgrading is encouraged to fix the vulnerability. Am I vulnerable? The vulnerability exists only if the annotation nginx.ingress.kubernetes.io/auth-type: basic is used. How do I...

kubectl cp symlink vulnerability

A security issue was discovered in kubectl versions v1.13.10, v1.14.6, and v1.15.3. The issue is of a medium severity and upgrading of kubectl is encouraged to fix the vulnerability. Am I vulnerable? Run kubectl version --client and if it returns versions v1.13.10, v1.14.6, and v1.15.3, you are...

Unvalidated redirect

CVSS Rating: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N/E:F Low An attacker-controlled Kubelet can return an arbitrary redirect when responding to certain apiserver requests. Impacted kube-apiservers will follow the redirect as a GET request with client-cert credentials for authenticating to th...

CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation

Am I vulnerable? CSI snapshot, cloning and resizing features are affected. Prior to Kubernetes 1.16, these features were all alpha and disabled by default. Starting in Kubernetes 1.16, CSI cloning and resizing features are beta and enabled by default. These features also require CSI drivers to be...

Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack

CVE-2019-11253 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML or JSON payloads to cause kube-apiserver to consume excessive CPU or memory, potentially crashing and becoming unavailable. This vulnerability has been given an initial...

Bearer tokens are revealed in logs (audit finding TOB-K8S-001)

This issue was reported in the Kubernetes Security Audit Report Description Kubernetes requires an authentication mechanism to enforce users’ privileges. One method of authentication, bearer tokens, are opaque strings used to associate a user with their having successfully authenticated previousl...

/debug/pprof exposed on kubelet's healthz port

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration. If you are exposed we recommend upgrading to at least on...

Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N A third issue was discovered with the Kubernetes kubectl cp command that could enable a directory traversal such that a malicious container could replace or create files on a user’s workstation. The vulnerability is a client-side defect and requires us...

API server allows access to custom resources via wrong scope

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L The API server mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the...

container uid changes to root after first restart or if image is already pulled to the node

CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L, 4.9 medium In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 root on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true,...

rest.AnonymousClientConfig() does not remove the serviceaccount credentials from config created by rest.InClusterConfig()

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N The rest.AnonymousClientConfig method returns a copy of the provided config, with credentials removed bearer token, username/password, and client certificate/key data. In the following versions, rest.AnonymousClientConfig did not effectively clear...

`kubectl --http-cache=<world-accessible dir>` creates world-writeable cached schema files

In kubectl v1.8.0+, schema info is cached in the location specified by --cache-dir defaulting to $HOME/.kube/http-cache, written with world-writeable permissions rw-rw-rw-. If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be...

json-patch requests can exhaust apiserver resources

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:Hhttps://www.first.org/cvss/calculator/3.0CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 6.5, medium Users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type “json-patch” e.g. kubectl patch...

proxy request handling in kube-apiserver can leave vulnerable TCP connections

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8, critical With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated...

smb mount security issue

This issue is tracked under CVE-2018-1002101 Is this a BUG REPORT or FEATURE REQUEST?: /kind bug Uncomment only one, leave it on its own line: /kind bug /kind feature What happened: user PowerShell Environment Variables to store user input string to prevent command line injection, the env var in...

Kubectl copy doesn't check for paths outside of it's destination directory.

Is this a BUG REPORT or FEATURE REQUEST?: Bug /kind bug What happened: kubectl cp :/some/remote/dir /some/local/dir If the container returns a malformed tarfile with paths like: '/some/remote/dir/../../../../tmp/foo' kubectl writes this to /tmp/foo instead of /some/local/dir/tmp/foo What you...

atomic writer volume handling allows arbitrary file deletion in host filesystem

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H This vulnerability allows containers using a secret, configMap, projected or downwardAPI volume to trigger deletion of arbitrary files and directories on the nodes where they are running. Thanks to Joel Smith of Red Hat for reporting this problem...

subpath volume mount handling allows arbitrary file access in host filesystem

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H This vulnerability allows containers using subpath volume mounts with any volume type including non-privileged pods, subject to file permissions to access files/directories outside of the volume, including the host’s filesystem. Thanks to Maxim Ivanov...

Azure PV should be Private scope not Container scope

Bulletin has no description...

PodSecurityPolicy admission plugin authorizes incorrectly

A PodSecurityPolicy admission plugin vulnerability allows users to make use of any PodSecurityPolicy object, even ones they are not authorized to use. CVE: CVE-2017-1000056 Fixed in v1.5.5 in https://github.com/kubernetes/kubernetes/commit/7fef0a4f6a44ea36f166c39fdade5324eff2dd5e Fixed in...