CVSS: 8.1EPSS: 0%CPEs: 8EXPL: 0CVE-2019-11247 – Kubernetes kube-apiserver allows access to custom resources via wrong scope
https://notcve.org/view.php?id=CVE-2019-11247
The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12. El kube-apiserver de Kubernetes permite por error el acceso a un recurso personalizado de ámbito de clúster si la solicitud se realiza como si el recurso estuviera con espacio de nombres. Las autorizaciones para el recurso al que se tiene acceso de esta manera se aplican mediante roles y enlaces de roles dentro del espacio de nombres, lo que significa que un usuario con acceso solo a un recurso en un espacio de nombres podría crear, ver actualizar o eliminar el recurso de ámbito de clúster (según sus privilegios de rol de espacio de nombres). • https://access.redhat.com/errata/RHBA-2019:2816 https://access.redhat.com/errata/RHBA-2019:2824 https://access.redhat.com/errata/RHSA-2019:2690 https://access.redhat.com/errata/RHSA-2019:2769 https://github.com/kubernetes/kubernetes/issues/80983 https://groups.google.com/d/msg/kubernetes-security-announce/vUtEcSEY6SM/v2ZZxsmtFQAJ https://security.netapp.com/advisory/ntap-20190919-0003 https://access.redhat.com/security/cve/CVE-2019-11247 https://bugzilla.redhat.com/show_bug.cgi?id=1 • CWE-20: Improper Input Validation CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2019-11246 – kubectl cp allows symlink directory traversal
https://notcve.org/view.php?id=CVE-2019-11246
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. Kubernetes affected versions include versions prior to 1.12.9, versions prior to 1.13.6, versions prior to 1.14.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11. • https://github.com/kubernetes/kubernetes/pull/76788 https://groups.google.com/forum/#%21topic/kubernetes-security-announce/NLs2TGbfPdo https://security.netapp.com/advisory/ntap-20190919-0003 https://access.redhat.com/security/cve/CVE-2019-11246 https://bugzilla.redhat.com/show_bug.cgi?id=1721704 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-61: UNIX Symbolic Link (Symlink) Following •
CVSS: 7.5EPSS: 0%CPEs: 14EXPL: 0CVE-2019-9946 – kubernetes: Incorrect rule injection in CNI portmap plugin
https://notcve.org/view.php?id=CVE-2019-9946
Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0. La interfaz de red del contenedor (CNI) de Cloud Native Computing Foundation (CNCF), en su versión 0.7.4, tiene una configuración incorrecta en el firewall de red que afecta a Kubernetes. • https://access.redhat.com/errata/RHBA-2019:0862 https://github.com/containernetworking/plugins/pull/269#issuecomment-477683272 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FCN66VYB3XS76SYH567SO7N3I254JOCT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGOOWAELGH3F7OXRBPH3HCNZELNLXYTW https://security.netapp.com/advisory/ntap-20190416-0002 https://access.redhat.com/security/cve/CVE-2019-9946 https://bugzilla.redhat.com/show_bug.cgi?id& • CWE-670: Always-Incorrect Control Flow Implementation CWE-841: Improper Enforcement of Behavioral Workflow •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2019-1002100 – kube-apiserver: DoS with crafted patch of type json-patch
https://notcve.org/view.php?id=CVE-2019-1002100
In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server. En todas las versiones de Kubernetes anteriores a las v1.11.8, v1.12.6 y v1.13.4, los usuarios autorizados para realizar peticiones de parche en el servidor API de Kubernetes pueden enviar parches "json-patch" (p.ej., `kubectl patch --type json` o `"Content-Type: application/json-patch+json"`) especialmente manipulados que consumen recursos excesivos durante el procesamiento, conduciendo a una denegación de servicio (DoS) en el servidor API A denial of service vulnerability was found in the Kubernetes API server. A remote user, with authorization to apply patches, could exploit this via crafted JSON input, causing excessive consumption of resources and subsequent denial of service. • http://www.securityfocus.com/bid/107290 https://access.redhat.com/errata/RHSA-2019:1851 https://access.redhat.com/errata/RHSA-2019:3239 https://github.com/kubernetes/kubernetes/issues/74534 https://groups.google.com/forum/#%21topic/kubernetes-announce/vmUUNkYfG9g https://security.netapp.com/advisory/ntap-20190416-0002 https://access.redhat.com/security/cve/CVE-2019-1002100 https://bugzilla.redhat.com/show_bug.cgi?id=1683190 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.8EPSS: 34%CPEs: 14EXPL: 4CVE-2018-1002105 – Kubernetes - (Unauthenticated) Arbitrary Requests
https://notcve.org/view.php?id=CVE-2018-1002105
In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection. En todas las versiones de Kubernetes anteriores a la v1.10.11, v1.11.5 y la v1.12.3, el manejo incorrecto de las respuestas de error a las peticiones de actualización en el proxy en kube-apiserver permitían que las peticiones especialmente manipuladas estableciesen una conexión mediante el servidor de la API de Kubernetes a los servidores del backend y enviasen peticiones arbitrarias en la misma conexión directamente al backend, autenticadas con las credenciales TLS del servidor de la API de Kubernetes empleadas para establecer la conexión con el backend. A privilege escalation vulnerability exists in OpenShift Container Platform which allows for compromise of pods running co-located on a compute node. This access could include access to all secrets, pods, environment variables, running pod/container processes, and persistent volumes, including in privileged containers. • https://www.exploit-db.com/exploits/46052 https://www.exploit-db.com/exploits/46053 https://github.com/sh-ubh/CVE-2018-1002105 http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html http://www.openwall.com/lists/oss-security/2019/06/28/2 http://www.openwall.com/lists/oss-security/2019/07/06/3 http://www.openwall.com/lists/oss-security/2019/07/06/4 http://www.securityfocus.com/bid/106068 https://access.redhat.com/errata/RHSA-2018:3537 h • CWE-305: Authentication Bypass by Primary Weakness CWE-388: 7PK - Errors •