CVSS: 6.0EPSS: 0%CPEs: 5EXPL: 0CVE-2019-14891 – cri-o: infra container reparented to systemd following OOM Killer killing it's conmon
https://notcve.org/view.php?id=CVE-2019-14891
A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in container management (conmon) processes being killed if a workload process triggers an out-of-memory (OOM) condition for the cgroup. An attacker could abuse this flaw to get host network access on an cri-o host. Se encontró un fallo en cri-o, como un resultado de que todos los procesos relacionados con pod están colocados en el mismo grupo de memoria. Esto puede resultar en que se eliminen los procesos de administración de contenedores (conmon) si un proceso de carga de trabajo desencadena una condición de falta de memoria (OOM) para el cgroup. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14891 https://access.redhat.com/security/cve/CVE-2019-14891 https://bugzilla.redhat.com/show_bug.cgi?id=1772280 • CWE-460: Improper Cleanup on Thrown Exception CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 1CVE-2019-10223
https://notcve.org/view.php?id=CVE-2019-10223
A security issue was discovered in the kube-state-metrics versions v1.7.0 and v1.7.1. An experimental feature was added to the v1.7.0 release that enabled annotations to be exposed as metrics. By default, the kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default `kubectl` behavior and this new feature can cause the entire secret content to end up in metric labels thus inadvertently exposing the secret content in metrics. This feature has been reverted and released as the v1.7.2 release. • http://www.openwall.com/lists/oss-security/2019/08/15/8 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10223 https://github.com/kubernetes/kube-state-metrics/releases/tag/v1.7.2 https://www.openwall.com/lists/oss-security/2019/08/09/1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 1%CPEs: 8EXPL: 1CVE-2019-11253 – Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack
https://notcve.org/view.php?id=CVE-2019-11253
Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility. La comprobación de entrada inapropiada en el servidor API de Kubernetes en las versiones v1.0 hasta 1.12 y versiones anteriores a v1.13.12, v1.14.8, v1.15.5 y v1.16.2, permite a los usuarios autorizados enviar cargas maliciosas de YAML o JSON, causando que el servidor API consuma demasiada CPU o memoria, fallando potencialmente y dejando de estar disponible. En versiones anteriores a v1.14.0, la política predeterminada de RBAC autorizaba a los usuarios anónimos para enviar peticiones que pudieran desencadenar esta vulnerabilidad. • https://access.redhat.com/errata/RHSA-2019:3239 https://access.redhat.com/errata/RHSA-2019:3811 https://access.redhat.com/errata/RHSA-2019:3905 https://github.com/kubernetes/kubernetes/issues/83253 https://groups.google.com/forum/#%21topic/kubernetes-security-announce/jk8polzSUxs https://security.netapp.com/advisory/ntap-20191031-0006 https://access.redhat.com/security/cve/CVE-2019-11253 https://bugzilla.redhat.com/show_bug.cgi?id=1757701 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2019-14819 – openshift-ansible: dockergc service account incorrectly associated with namespace during upgrade
https://notcve.org/view.php?id=CVE-2019-14819
A flaw was found during the upgrade of an existing OpenShift Container Platform 3.x cluster. Using CRI-O, the dockergc service account is assigned to the current namespace of the user performing the upgrade. This flaw can allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints. Se encontró un fallo durante la actualización de un clúster existente de OpenShift Container Platform versiones 3.x. Usando CRI-O, la cuenta de servicio dockergc es asignada al espacio de nombres actual del usuario que lleva a cabo la actualización. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14819 https://access.redhat.com/security/cve/CVE-2019-14819 https://bugzilla.redhat.com/show_bug.cgi?id=1746238 • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management CWE-270: Privilege Context Switching Error •
CVSS: 7.8EPSS: 0%CPEs: 82EXPL: 1CVE-2019-14835 – kernel: vhost-net: guest to host kernel escape during migration
https://notcve.org/view.php?id=CVE-2019-14835
A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host. Se encontró un fallo de desbordamiento de búfer, en las versiones desde 2.6.34 hasta 5.2.x, en la manera en que la funcionalidad vhost del kernel de Linux que traduce los búferes virtueue en IOV, registraba los descriptores del búfer durante una migración. Un usuario invitado privilegiado capaz de pasar descriptores con una longitud no válida hacia el host cuando la migración está en marcha, podría usar este fallo para aumentar sus privilegios sobre el host. A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html http://packetstormsecurity.com/files/154572/Kernel-Live-Patch-Security-Notice-LSN-0056-1.html http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html http://packetstormsecurity.com/files/155212/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200115-01- • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •