CVSS: 6.5EPSS: 0%CPEs: 23EXPL: 0CVE-2017-1002100
https://notcve.org/view.php?id=CVE-2017-1002100
Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to "container" which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal. Los permisos de acceso por defecto para volúmenes persistentes (PV) creados por el proveedor de servicios en la nube Kubernetes en Azure, en sus versiones de la 1.6.0 a la 1.6.5, están establecidos a "container", lo que expone una URI que se puede acceder sin autenticación en la red de internet pública. Para acceder al string URI se requieren permisos de acceso al clúster de Kubernetes o acceso autenticado al portal Azure. • https://github.com/kubernetes/kubernetes/issues/47611 https://groups.google.com/d/msg/kubernetes-security-announce/n3VBg_WJZic/-ddIqKXqAAAJ • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 0CVE-2015-7561
https://notcve.org/view.php?id=CVE-2015-7561
Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image. Kubernetes en OpenShift3 permite que atacantes remotos autenticados empleen las imágenes privadas de otros usuarios si conocen el nombre de dicha imagen. • https://bugzilla.redhat.com/show_bug.cgi?id=1291963 https://github.com/kubernetes/kubernetes/pull/18909 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2017-1000056
https://notcve.org/view.php?id=CVE-2017-1000056
Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability to make use of any existing PodSecurityPolicy object. En Kubernetes versión 1.5.0 hasta 1.5.4, es vulnerable a una escalada de privilegios en el plugin admission de PodSecurityPolicy, resultando en la capacidad de hacer uso de cualquier objeto PodSecurityPolicy existente. • https://github.com/kubernetes/kubernetes/issues/43459 • CWE-862: Missing Authorization •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 1CVE-2016-7075 – 3: API server does not validate client-provided intermediate certificates correctly
https://notcve.org/view.php?id=CVE-2016-7075
It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authentication requirements by using a specially crafted X.509 certificate. Se ha descubierto que Kubernetes, tal y como se emplea en Openshift Enterprise 3, no valida los campos de nombre del host del certificado intermediario de cliente X.509. Un atacante podría emplear este error para omitir los requisitos de autenticación mediante el uso de un certificado X.509 especialmente manipulado It was found that Kubernetes did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authentication requirements by using a specially crafted X.509 certificate. • https://access.redhat.com/errata/RHSA-2016:2064 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7075 https://github.com/kubernetes/kubernetes/issues/34517 https://access.redhat.com/security/cve/CVE-2016-7075 https://bugzilla.redhat.com/show_bug.cgi?id=1384112 • CWE-295: Improper Certificate Validation •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2016-1906 – server: build config to a strategy that isn't allowed by policy
https://notcve.org/view.php?id=CVE-2016-1906
Openshift allows remote attackers to gain privileges by updating a build configuration that was created with an allowed type to a type that is not allowed. Openshift, permite a los atacantes remotos alcanzar privilegios mediante la actualización de una configuración de compilación que fue diseñada con un tipo permitido en un tipo que no está permitido. An authorization flaw was discovered in Kubernetes; the API server did not properly check user permissions when handling certain build-configuration strategies. A remote attacker could create build configurations with strategies that violate policy. Although the attacker could not launch the build themselves (launch fails when the policy is violated), if the build configuration files were later launched by other privileged services (such as automated triggers), user privileges could be bypassed allowing attacker escalation. • https://access.redhat.com/errata/RHSA-2016:0070 https://access.redhat.com/errata/RHSA-2016:0351 https://github.com/openshift/origin/issues/6556 https://github.com/openshift/origin/pull/6576 https://access.redhat.com/security/cve/CVE-2016-1906 https://bugzilla.redhat.com/show_bug.cgi?id=1297916 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •