CVSS: 6.4EPSS: 49%CPEs: 7EXPL: 1CVE-2019-1002101 – kubectl cp path traversal
https://notcve.org/view.php?id=CVE-2019-1002101
01 Apr 2019 — The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. ... • https://github.com/brompwnie/CVE-2019-1002101-Helpers • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.8EPSS: 1%CPEs: 4EXPL: 0CVE-2019-0542 – xterm.js: Mishandling of special characters allows for remote code execution
https://notcve.org/view.php?id=CVE-2019-0542
09 Jan 2019 — A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters, aka "Xterm Remote Code Execution Vulnerability." This affects xterm.js. Existe una vulnerabilidad de ejecución remota de código en Xterm.js cuando el componente maneja mal los caracteres especiales, también conocida como "Xterm Remote Code Execution Vulnerability". Esto afecta a xterm.js It was found that xterm.js does not sanitize terminal escape sequences in browser terminals allowing for execution o... • http://www.securityfocus.com/bid/106434 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 90%CPEs: 14EXPL: 7CVE-2018-1002105 – Kubernetes - (Unauthenticated) Arbitrary Requests
https://notcve.org/view.php?id=CVE-2018-1002105
03 Dec 2018 — In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection. En todas las versiones de Kubernetes anteriores a la v1.1... • https://www.exploit-db.com/exploits/46052 • CWE-305: Authentication Bypass by Primary Weakness CWE-388: 7PK - Errors •
CVSS: 7.7EPSS: 0%CPEs: 5EXPL: 0CVE-2018-14632 – atomic-openshift: oc patch with json causes masterapi service crash
https://notcve.org/view.php?id=CVE-2018-14632
06 Sep 2018 — An out of bound write can occur when patching an Openshift object using the 'oc patch' functionality in OpenShift Container Platform before 3.7. An attacker can use this flaw to cause a denial of service attack on the Openshift master api service which provides cluster management. Puede ocurrir una escritura fuera de límites al parchear un objeto Openshift mediante la funcionalidad "oc patch" en OpenShift Container Platform, en versiones anteriores a la 3.7. Un atacante puede emplear este error para provoca... • https://access.redhat.com/errata/RHBA-2018:2652 • CWE-787: Out-of-bounds Write •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2018-10843 – source-to-image: Builder images with assembler-user LABEL set to root allows attackers to execute arbitrary code
https://notcve.org/view.php?id=CVE-2018-10843
27 Jun 2018 — source-to-image component of Openshift Container Platform before versions atomic-openshift 3.7.53, atomic-openshift 3.9.31 is vulnerable to a privilege escalation which allows the assemble script to run as the root user in a non-privileged container. An attacker can use this flaw to open network connections, and possibly other actions, on the host which are normally only available to a root user. El componente source-to-image de Openshift Container Platform en versiones anteriores a atomic-openshift 3.7.53 ... • https://access.redhat.com/errata/RHSA-2018:2013 • CWE-20: Improper Input Validation CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1070 – Routing: Malicous Service configuration can bring down routing for an entire shard.
https://notcve.org/view.php?id=CVE-2018-1070
12 Jun 2018 — routing before version 3.10 is vulnerable to an improper input validation of the Openshift Routing configuration which can cause an entire shard to be brought down. A malicious user can use this vulnerability to cause a Denial of Service attack for other users of the router shard. routing en versiones anteriores a la 3.10 es vulnerable a una validación de entradas incorrecta de la configuración de Openshift Routing que puede permitir que una partición entera se caiga. Un usuario malicioso puede emplear esta... • https://access.redhat.com/errata/RHSA-2018:2013 • CWE-20: Improper Input Validation •