Kubernetes Official CVE Feed

Validating Admission Webhook does not observe some previous fields

Man in the middle using LoadBalancer or ExternalIPs

Ceph RBD adminSecrets exposed in logs when loglevel >= 4

Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9

Docker config secrets leaked when file is malformed and log level >= 4

Secret leaks in kube-controller-manager when using vSphere provider

Node disk DOS by writing to container /etc/hosts

Privilege escalation from compromised node to cluster

Node setting allows for neighboring hosts to bypass localhost boundary

Half-Blind SSRF in kube-controller-manager

IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements

kube-apiserver Denial of Service vulnerability from malicious YAML payloads

apiserver DoS (oom)

Kubelet DoS via API

ingress-nginx auth-type basic annotation vulnerability

kubectl cp symlink vulnerability

Unvalidated redirect

CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation

Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack

Bearer tokens are revealed in logs