pepelyaevip/vuln-list-update
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity
main
vuln-list-update/k8s/testdata/expected-vulndb.json
DmitriyLewen a948784f3a
test(k8s): remove internet access (#256) 
Co-authored-by: chenk <hen.keinan@gmail.com>
2023-11-14 16:25:34 +09:00

1 line
6.1 KiB
JSON
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[{"id":"CVE-2023-2431","modified":"2023-06-15T14:42:32Z","published":"2023-06-15T14:42:32Z","summary":"Bypass of seccomp profile enforcement ","details":"A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.","affected":[{"package":{"ecosystem":"kubernetes","name":"k8s.io/kubelet"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"}],"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.24.14"},{"introduced":"1.25.0"},{"fixed":"1.25.9"},{"introduced":"1.26.0"},{"fixed":"1.26.4"},{"introduced":"1.27.0"},{"fixed":"1.27.1"}]}]}],"references":[{"type":"ADVISORY","url":"https://github.com/kubernetes/kubernetes/issues/118690"},{"type":"ADVISORY","url":"https://www.cve.org/cverecord?id=CVE-2023-2431"}]},{"id":"CVE-2023-2727","modified":"2023-06-13T14:42:06Z","published":"2023-06-13T14:42:06Z","summary":"Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin","details":"Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.\n\n","affected":[{"package":{"ecosystem":"kubernetes","name":"k8s.io/apiserver"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"}],"ranges":[{"type":"SEMVER","events":[{"introduced":"1.24.0"},{"last_affected":"1.24.14"},{"introduced":"1.25.0"},{"last_affected":"1.25.10"},{"introduced":"1.26.0"},{"last_affected":"1.26.5"},{"introduced":"1.27.0"},{"last_affected":"1.27.2"}]}]}],"references":[{"type":"ADVISORY","url":"https://github.com/kubernetes/kubernetes/issues/118640"},{"type":"ADVISORY","url":"https://www.cve.org/cverecord?id=CVE-2023-2727, CVE-2023-2728"}]},{"id":"CVE-2023-2728","modified":"2023-06-13T14:42:06Z","published":"2023-06-13T14:42:06Z","summary":"Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin","details":"Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service accounts secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.\n\n","affected":[{"package":{"ecosystem":"kubernetes","name":"k8s.io/apiserver"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"}],"ranges":[{"type":"SEMVER","events":[{"introduced":"1.24.0"},{"last_affected":"1.24.14"},{"introduced":"1.25.0"},{"last_affected":"1.25.10"},{"introduced":"1.26.0"},{"last_affected":"1.26.5"},{"introduced":"1.27.0"},{"last_affected":"1.27.2"}]}]}],"references":[{"type":"ADVISORY","url":"https://github.com/kubernetes/kubernetes/issues/118640"},{"type":"ADVISORY","url":"https://www.cve.org/cverecord?id=CVE-2023-2727, CVE-2023-2728"}]},{"id":"CVE-2023-2878","modified":"2023-06-02T19:03:54Z","published":"2023-06-02T19:03:54Z","summary":"secrets-store-csi-driver discloses service account tokens in logs","details":"Kubernetes secrets-store-csi-driver in versions before 1.3.3 discloses service account tokens in logs.\n","affected":[{"package":{"ecosystem":"kubernetes","name":"sigs.k8s.io/secrets-store-csi-driver"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"}],"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.3.3"}]}]}],"references":[{"type":"ADVISORY","url":"https://github.com/kubernetes/kubernetes/issues/118419"},{"type":"ADVISORY","url":"https://www.cve.org/cverecord?id=CVE-2023-2878"}]},{"id":"CVE-2020-8557","modified":"2020-07-13T18:39:08Z","published":"2020-07-13T18:39:08Z","summary":"Node disk DOS by writing to container /etc/hosts","details":"The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.","affected":[{"package":{"ecosystem":"kubernetes","name":"k8s.io/kubelet"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"ranges":[{"type":"SEMVER","events":[{"introduced":"1.1.0"},{"fixed":"1.16.13"},{"introduced":"1.17.0"},{"fixed":"1.17.9"},{"introduced":"1.18.0"},{"fixed":"1.18.6"}]}]}],"references":[{"type":"ADVISORY","url":"https://github.com/kubernetes/kubernetes/issues/93032"},{"type":"ADVISORY","url":"https://www.cve.org/cverecord?id=CVE-2020-8557"}]},{"id":"CVE-2017-1002102","modified":"2018-03-05T20:55:20Z","published":"2018-03-05T20:55:20Z","summary":"atomic writer volume handling allows arbitrary file deletion in host filesystem","details":"In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running.","affected":[{"package":{"ecosystem":"kubernetes","name":"k8s.io/kubelet"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H"}],"ranges":[{"type":"SEMVER","events":[{"introduced":"1.3.0"},{"fixed":"1.7.14"},{"introduced":"1.8.0"},{"fixed":"1.8.9"},{"introduced":"1.9.0"},{"fixed":"1.9.4"}]}]}],"references":[{"type":"ADVISORY","url":"https://github.com/kubernetes/kubernetes/issues/60814"},{"type":"ADVISORY","url":"https://www.cve.org/cverecord?id=CVE-2017-1002102"}]}]
View Git Blame Copy Permalink