The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions before 1.13.9, versions before 1.14.5, versions before 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
kubernetes kubernetes |
||
kubernetes kubernetes 1.12.11 |
||
redhat openshift container platform 3.9 |
||
redhat openshift container platform 3.10 |
||
redhat openshift container platform 3.11 |
Lid lifted on container toolkit's two million lines of code, 34 vulnerabilities peer out Container code cluster-fact: There's a hole in Kubernetes that lets miscreants cause havoc
The Cloud Native Computing Foundation (CNCF) today released a security audit of Kubernetes, the widely used container orchestration software, and the findings are about what you'd expect for a project with about two million lines of code: there are plenty of flaws that need to be addressed. The CNCF engaged two security firms, Trail of Bits and Atredis Partners, to poke around Kubernetes code over the course of four months. The companies looked at Kubernetes components involved in networking, cr...