Page 3 of 18 results (0.020 seconds)

CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0

Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group. • https://github.com/kubernetes/kubernetes/issues/113756 https://groups.google.com/g/kubernetes-security-announce/c/iUd550j7kjA https://security.netapp.com/advisory/ntap-20230511-0004 https://access.redhat.com/security/cve/CVE-2022-3162 https://bugzilla.redhat.com/show_bug.cgi?id=2136673 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •

CVSS: 3.5EPSS: 0%CPEs: 4EXPL: 0

As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane. Como mitigación a un informe de 2019 y CVE-2020-8555, Kubernetes intenta impedir que las conexiones proxy accedan a las redes link-local o localhost cuando son realizadas conexiones impulsadas por el usuario a los servicios, pods, nodos o proveedores de servicios StorageClass. • https://github.com/kubernetes/kubernetes/issues/101493 https://groups.google.com/g/kubernetes-security-announce/c/-MFX60_wdOY https://security.netapp.com/advisory/ntap-20220225-0002 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •

CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 2

A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. Se ha detectado un problema de seguridad en Kubernetes en el que un usuario puede ser capaz de crear un contenedor con montajes de volumen de sub-ruta para acceder a archivos y directorios fuera del volumen, incluso en el sistema de archivos del host A flaw was found in kubernetes. An authorized user can exploit this by creating pods with crafted subpath volume mounts to access files and directories outside of the volume, including on the host node's filesystem. • https://github.com/Betep0k/CVE-2021-25741 https://github.com/cdxiaodong/CVE-2021-25741 https://github.com/kubernetes/kubernetes/issues/104980 https://groups.google.com/g/kubernetes-security-announce/c/nyfdhK24H7s https://security.netapp.com/advisory/ntap-20211008-0006 https://access.redhat.com/security/cve/CVE-2021-25741 https://bugzilla.redhat.com/show_bug.cgi?id=1993749 • CWE-20: Improper Input Validation CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-552: Files or Directories Accessible to External Parties •

CVSS: 4.1EPSS: 0%CPEs: 3EXPL: 0

A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. Se ha detectado un problema de seguridad en Kubernetes donde los actores que controlan las respuestas de las peticiones MutatingWebhookConfiguration o ValidatingWebhookConfiguration son capaces de redirigir las peticiones de kube-apiserver a redes privadas del apiserver. Si ese usuario puede visualizar los registros de kube-apiserver cuando el nivel de registro se establece en 10, puede visualizar las respuestas redirigidas y los encabezados en los registros • https://github.com/kubernetes/kubernetes/issues/104720 https://groups.google.com/g/kubernetes-security-announce/c/RV2IhwcrQsY https://security.netapp.com/advisory/ntap-20211014-0002 • CWE-441: Unintended Proxy or Intermediary ('Confused Deputy') CWE-610: Externally Controlled Reference to a Resource in Another Sphere •

CVSS: 4.9EPSS: 0%CPEs: 4EXPL: 0

A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs. Se ha detectado un problema de seguridad en Kubernetes en el que un usuario puede ser capaz de redirigir el tráfico del pod a redes privadas en un Nodo. Kubernetes ya previene la creación de IPs de Endpoint en el rango localhost o link-local, pero no se ha llevado a cabo la misma comprobación en las IPs de EndpointSlice. A security issue was discovered in Kubernetes where an authorized user may be able to redirect traffic to private networks on a Node. • https://github.com/kubernetes/kubernetes/issues/102106 https://groups.google.com/g/kubernetes-security-announce/c/xAiN3924thY https://security.netapp.com/advisory/ntap-20211004-0004 https://access.redhat.com/security/cve/CVE-2021-25737 https://bugzilla.redhat.com/show_bug.cgi?id=1954917 • CWE-20: Improper Input Validation CWE-184: Incomplete List of Disallowed Inputs CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •