CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2307 – jenkins-2-plugins/kubernetes: Jenkins controller environment variables are accessible in Kubernetes Plugin
https://notcve.org/view.php?id=CVE-2020-2307
04 Nov 2020 — Jenkins Kubernetes Plugin 1.27.3 and earlier allows low-privilege users to access possibly sensitive Jenkins controller environment variables. Jenkins Kubernetes Plugin versiones 1.27.3 y anteriores, permiten a usuarios con pocos privilegios acceder a variables de entorno del controlador de Jenkins posiblemente confidenciales Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed includ... • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-1646 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2308 – jenkins-2-plugins/kubernetes: Missing permission check in Kubernetes Plugin allows listing pod templates
https://notcve.org/view.php?id=CVE-2020-2308
04 Nov 2020 — A missing permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to list global pod template names. Una falta de comprobación de permisos en Jenkins Kubernetes Plugin versiones 1.27.3 y anteriores, permite a atacantes con permiso Overall/Read enumerar los nombres de las plantillas pod global Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Is... • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2102 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2309 – jenkins-2-plugins/kubernetes: Missing permission check in Kubernetes Plugin allows enumerating credentials IDs
https://notcve.org/view.php?id=CVE-2020-2309
04 Nov 2020 — A missing/An incorrect permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Una falta / o una incorrecta comprobación de permisos en Jenkins Kubernetes Plugin versiones 1.27.3 y anteriores, permite a atacantes con permiso Overall/Read enumerar los ID de credenciales almacenadas en Jenkins Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform sol... • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2103 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-8564 – Docker config secrets leaked when file is malformed and loglevel >= 4
https://notcve.org/view.php?id=CVE-2020-8564
27 Oct 2020 — In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13. En los clústeres de Kubernetes que usan un nivel de registro de al menos 4, el procesamiento de un archivo de configuración de docker malformado dará como resultado la filtración del contenido del archivo de configuración de docker,... • https://github.com/kubernetes/kubernetes/issues/95622 • CWE-117: Improper Output Neutralization for Logs CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-8557 – Kubernetes node disk Denial of Service by writing to container /etc/hosts
https://notcve.org/view.php?id=CVE-2020-8557
23 Jul 2020 — The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail. El componente kubelet de Kubenetes versiones 1.1-1.16.12, 1.... • https://github.com/kubernetes/kubernetes/issues/93032 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11252 – Credential leakage when failing to mount
https://notcve.org/view.php?id=CVE-2019-11252
23 Jul 2020 — The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes. El Kubernetes kube-controller-manager en versiones v1.0-v1.17, es vulnerable a una filtración de credenciales por medio de mensajes de error en registros de fallo de montaje y eventos para volúmenes de AzureFile y CephFS A flaw was found in Kubernetes that allows the logging of credentials when mounting AzureFile and CephFS ... • https://github.com/kubernetes/kubernetes/pull/88684 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.8EPSS: 58%CPEs: 4EXPL: 4CVE-2020-8559 – Privilege escalation from compromised node to cluster
https://notcve.org/view.php?id=CVE-2020-8559
22 Jul 2020 — The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise. El Kubernetes kube-apiserver en versiones v1.6-v1.15 y versiones anteriores a v1.16.13, v1.17.9 y v1.18.6, son vulnerables a un redireccionamiento no validado en las peticiones de actualización proxy que podrían permitir a un ataca... • https://github.com/tdwyer/CVE-2020-8559 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 25%CPEs: 3EXPL: 4CVE-2020-8558 – Kubernetes node setting allows for neighboring hosts to bypass localhost boundary
https://notcve.org/view.php?id=CVE-2020-8558
13 Jul 2020 — The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service. Se... • https://github.com/tabbysable/POC-2020-8558 • CWE-300: Channel Accessible by Non-Endpoint CWE-420: Unprotected Alternate Channel •
CVSS: 6.3EPSS: 16%CPEs: 5EXPL: 0CVE-2020-8555 – Kubernetes kube-controller-manager SSRF
https://notcve.org/view.php?id=CVE-2020-8555
04 Jun 2020 — The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services). El Kubernetes kube-controller-manager en las versiones v1.0-1.14, versiones anteriores a v1.15.12, v1.16.9, v1.17.5 y v1.18.0, son vulnerabl... • http://www.openwall.com/lists/oss-security/2020/06/01/4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2019-11254 – Kubernetes API Server denial of service vulnerability from malicious YAML payloads
https://notcve.org/view.php?id=CVE-2019-11254
01 Apr 2020 — The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML. El componente Kubernetes API Server en versiones 1.1-1.14 y versiones anteriores a 1.15.10, 1.16.7 y 1.17.3, permite a un usuario autorizado que envía cargas maliciosas de YAML causar que el kube-apiserver consuma ciclos de CPU excesivos mientras analiza YAML. Red ... • https://github.com/kubernetes/kubernetes/issues/89535 • CWE-400: Uncontrolled Resource Consumption CWE-1050: Excessive Platform Resource Consumption within a Loop •