CVSS: 6.5EPSS: 0%CPEs: 11EXPL: 0CVE-2019-11255 – Kubernetes CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation
https://notcve.org/view.php?id=CVE-2019-11255
Improper input validation in Kubernetes CSI sidecar containers for external-provisioner (<v0.4.3, <v1.0.2, v1.1, <v1.2.2, <v1.3.1), external-snapshotter (<v0.4.2, <v1.0.2, v1.1, <1.2.2), and external-resizer (v0.1, v0.2) could result in unauthorized PersistentVolume data access or volume mutation during snapshot, restore from snapshot, cloning and resizing operations. Una comprobación de entrada inapropiada en contenedores sidecar de Kubernetes CSI para external-provisioner (versiones anteriores a v0.4.3, versiones anteriores a v1.0.2, v1.1, versiones anteriores a v1.2.2, versiones anteriores a v1.3.1), external-snapshotter (versiones anteriores a v0.4.2, versiones anteriores a v1. 0.2, v1.1, versiones anteriores a 1.2.2) y external-resizer (versiones v0.1, v0.2), podrían resultar en el acceso no autorizado a los datos PersistentVolume o la mutación del volumen durante una imagen instantánea, una restauración desde una imagen instantánea, la clonación y el cambio de tamaño. • https://access.redhat.com/errata/RHSA-2019:4054 https://access.redhat.com/errata/RHSA-2019:4096 https://access.redhat.com/errata/RHSA-2019:4099 https://access.redhat.com/errata/RHSA-2019:4225 https://github.com/kubernetes/kubernetes/issues/85233 https://groups.google.com/forum/#%21topic/kubernetes-security-announce/aXiYN0q4uIw https://security.netapp.com/advisory/ntap-20200810-0003 https://access.redhat.com/security/cve/CVE-2019-11255 https://bugzilla.redhat.com/show_bug.cgi?id=1 • CWE-20: Improper Input Validation •
CVSS: 6.0EPSS: 0%CPEs: 5EXPL: 0CVE-2019-14891 – cri-o: infra container reparented to systemd following OOM Killer killing it's conmon
https://notcve.org/view.php?id=CVE-2019-14891
A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in container management (conmon) processes being killed if a workload process triggers an out-of-memory (OOM) condition for the cgroup. An attacker could abuse this flaw to get host network access on an cri-o host. Se encontró un fallo en cri-o, como un resultado de que todos los procesos relacionados con pod están colocados en el mismo grupo de memoria. Esto puede resultar en que se eliminen los procesos de administración de contenedores (conmon) si un proceso de carga de trabajo desencadena una condición de falta de memoria (OOM) para el cgroup. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14891 https://access.redhat.com/security/cve/CVE-2019-14891 https://bugzilla.redhat.com/show_bug.cgi?id=1772280 • CWE-460: Improper Cleanup on Thrown Exception CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 1CVE-2019-10223
https://notcve.org/view.php?id=CVE-2019-10223
A security issue was discovered in the kube-state-metrics versions v1.7.0 and v1.7.1. An experimental feature was added to the v1.7.0 release that enabled annotations to be exposed as metrics. By default, the kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default `kubectl` behavior and this new feature can cause the entire secret content to end up in metric labels thus inadvertently exposing the secret content in metrics. This feature has been reverted and released as the v1.7.2 release. • http://www.openwall.com/lists/oss-security/2019/08/15/8 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10223 https://github.com/kubernetes/kube-state-metrics/releases/tag/v1.7.2 https://www.openwall.com/lists/oss-security/2019/08/09/1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 2%CPEs: 8EXPL: 1CVE-2019-11253 – Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack
https://notcve.org/view.php?id=CVE-2019-11253
Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility. La comprobación de entrada inapropiada en el servidor API de Kubernetes en las versiones v1.0 hasta 1.12 y versiones anteriores a v1.13.12, v1.14.8, v1.15.5 y v1.16.2, permite a los usuarios autorizados enviar cargas maliciosas de YAML o JSON, causando que el servidor API consuma demasiada CPU o memoria, fallando potencialmente y dejando de estar disponible. En versiones anteriores a v1.14.0, la política predeterminada de RBAC autorizaba a los usuarios anónimos para enviar peticiones que pudieran desencadenar esta vulnerabilidad. • https://access.redhat.com/errata/RHSA-2019:3239 https://access.redhat.com/errata/RHSA-2019:3811 https://access.redhat.com/errata/RHSA-2019:3905 https://github.com/kubernetes/kubernetes/issues/83253 https://groups.google.com/forum/#%21topic/kubernetes-security-announce/jk8polzSUxs https://security.netapp.com/advisory/ntap-20191031-0006 https://access.redhat.com/security/cve/CVE-2019-11253 https://bugzilla.redhat.com/show_bug.cgi?id=1757701 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2019-14819 – openshift-ansible: dockergc service account incorrectly associated with namespace during upgrade
https://notcve.org/view.php?id=CVE-2019-14819
A flaw was found during the upgrade of an existing OpenShift Container Platform 3.x cluster. Using CRI-O, the dockergc service account is assigned to the current namespace of the user performing the upgrade. This flaw can allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints. Se encontró un fallo durante la actualización de un clúster existente de OpenShift Container Platform versiones 3.x. Usando CRI-O, la cuenta de servicio dockergc es asignada al espacio de nombres actual del usuario que lleva a cabo la actualización. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14819 https://access.redhat.com/security/cve/CVE-2019-14819 https://bugzilla.redhat.com/show_bug.cgi?id=1746238 • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management CWE-270: Privilege Context Switching Error •