Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Kubernetes Subscribe
Filtered by product Kubernetes
Total 48 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-1002101 1 Kubernetes 1 Kubernetes 2019-10-09 7.5 HIGH 9.8 CRITICAL
In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection.
CVE-2018-1002100 1 Kubernetes 1 Kubernetes 2019-10-09 3.6 LOW 5.5 MEDIUM
In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.
CVE-2017-1002102 1 Kubernetes 1 Kubernetes 2019-10-09 6.3 MEDIUM 5.6 MEDIUM
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running.
CVE-2017-1002101 1 Kubernetes 1 Kubernetes 2019-10-09 5.5 MEDIUM 9.6 CRITICAL
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem.
CVE-2017-1000056 1 Kubernetes 1 Kubernetes 2019-10-02 7.5 HIGH 9.8 CRITICAL
Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability to make use of any existing PodSecurityPolicy object.
CVE-2019-11245 1 Kubernetes 1 Kubernetes 2019-09-19 4.6 MEDIUM 7.8 HIGH
In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.
CVE-2018-1002105 3 Kubernetes, Netapp, Redhat 3 Kubernetes, Trident, Openshift Container Platform 2019-06-28 7.5 HIGH 9.8 CRITICAL
In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.
CVE-2017-1002100 1 Kubernetes 1 Kubernetes 2017-09-29 4.0 MEDIUM 6.5 MEDIUM
Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to "container" which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal.