CVE-2020-8564 – Docker config secrets leaked when file is malformed and loglevel >= 4
https://notcve.org/view.php?id=CVE-2020-8564
In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13. En los clústeres de Kubernetes que usan un nivel de registro de al menos 4, el procesamiento de un archivo de configuración de docker malformado dará como resultado la filtración del contenido del archivo de configuración de docker, que puede incluir secretos de extracción u otras credenciales de registro. Esto afecta versiones anteriores a v1.19.3, versiones anteriores a v1.18.10, versiones anteriores a v1.17.13 A flaw was found in kubernetes. In Kubernetes, if the logging level is to at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. • https://github.com/kubernetes/kubernetes/issues/95622 https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ https://security.netapp.com/advisory/ntap-20210122-0006 https://access.redhat.com/security/cve/CVE-2020-8564 https://bugzilla.redhat.com/show_bug.cgi?id=1886637 • CWE-117: Improper Output Neutralization for Logs CWE-532: Insertion of Sensitive Information into Log File •
CVE-2020-8557 – Kubernetes node disk Denial of Service by writing to container /etc/hosts
https://notcve.org/view.php?id=CVE-2020-8557
The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail. El componente kubelet de Kubenetes versiones 1.1-1.16.12, 1.17.0-1.17.8 y 1.18.0-1.18.5, no cuenta para el uso del disco por parte de un pod que escribe en su propio archivo /etc/hosts. El archivo /etc/hosts montado en un pod para kubelet no esta incluido para el administrador de desalojo de kubelet al calcular el uso de almacenamiento efímero por un pod. • https://github.com/kubernetes/kubernetes/issues/93032 https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY/m/vVSO61AhBwAJ https://security.netapp.com/advisory/ntap-20200821-0002 https://access.redhat.com/security/cve/CVE-2020-8557 https://bugzilla.redhat.com/show_bug.cgi?id=1835977 • CWE-400: Uncontrolled Resource Consumption •
CVE-2019-11252 – Credential leakage when failing to mount
https://notcve.org/view.php?id=CVE-2019-11252
The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes. El Kubernetes kube-controller-manager en versiones v1.0-v1.17, es vulnerable a una filtración de credenciales por medio de mensajes de error en registros de fallo de montaje y eventos para volúmenes de AzureFile y CephFS A flaw was found in Kubernetes that allows the logging of credentials when mounting AzureFile and CephFS volumes. This flaw allows an attacker to access kubelet logs, read the credentials, and use them to access other services. The highest threat from this vulnerability is to confidentiality. • https://github.com/kubernetes/kubernetes/pull/88684 https://access.redhat.com/security/cve/CVE-2019-11252 https://bugzilla.redhat.com/show_bug.cgi?id=1860158 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2020-8559 – Privilege escalation from compromised node to cluster
https://notcve.org/view.php?id=CVE-2020-8559
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise. El Kubernetes kube-apiserver en versiones v1.6-v1.15 y versiones anteriores a v1.16.13, v1.17.9 y v1.18.6, son vulnerables a un redireccionamiento no validado en las peticiones de actualización proxy que podrían permitir a un atacante escalar privilegios desde un compromiso de nodo a un compromiso del clúster completo A flaw was found in the Kubernetes API server, where it allows an attacker to escalate their privileges from a compromised node. This flaw allows an attacker who can intercept requests on a compromised node, to redirect those requests, along with their credentials, to perform actions on other endpoints that trust those credentials (including other clusters), allowing for escalation of privileges. The highest threat from this vulnerability is to confidentiality, integrity, and system availability. • https://github.com/tdwyer/CVE-2020-8559 https://github.com/kubernetes/kubernetes/issues/92914 https://groups.google.com/d/msg/kubernetes-security-announce/JAIGG5yNROs/19nHQ5wkBwAJ https://security.netapp.com/advisory/ntap-20200810-0004 https://access.redhat.com/security/cve/CVE-2020-8559 https://bugzilla.redhat.com/show_bug.cgi?id=1851422 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2020-8558 – Kubernetes node setting allows for neighboring hosts to bypass localhost boundary
https://notcve.org/view.php?id=CVE-2020-8558
The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service. Se encontró que los componentes Kubelet y kube-proxy en las versiones 1.1.0-1.16.10, 1.17.0-1.17.6 y 1.18.0-1.18.3, contienen un problema de seguridad que permite a los hosts adyacentes alcanzar los servicios TCP y UDP vinculados a la versión 127.0.0.1, que se ejecutan en el nodo o en el espacio de nombres de red del nodo. Dicho servicio se considera generalmente que puede ser alcanzado solo por otros procesos en el mismo host, pero debido a esta defensa, podrían ser alcanzados por otros hosts en la misma LAN que el nodo o por contenedores que se ejecutan en el mismo nodo que el servicio A flaw was found in Kubernetes that allows attackers on adjacent networks to reach services exposed on localhost ports, previously thought to be unreachable. This flaw allows an attacker to gain privileges or access confidential information for any services listening on localhost ports that are not protected by authentication. • https://github.com/kubernetes/kubernetes/issues/92315 https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ https://security.netapp.com/advisory/ntap-20200821-0001 https://access.redhat.com/security/cve/CVE-2020-8558 https://bugzilla.redhat.com/show_bug.cgi?id=1843358 • CWE-300: Channel Accessible by Non-Endpoint CWE-420: Unprotected Alternate Channel •