Filtered by vendor Kubernetes
Subscribe
Total
96 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1002103 | 1 Kubernetes | 1 Minikube | 2026-06-17 | 6.8 MEDIUM | 8.1 HIGH |
| In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000. In VM environments where the IP is easy to predict, the attacker can use DNS rebinding to indirectly make requests to the Kubernetes Dashboard, create a new Kubernetes Deployment running arbitrary code. If minikube mount is in use, the attacker could also directly access the host filesystem. | |||||
| CVE-2018-1002102 | 2 Fedoraproject, Kubernetes | 2 Fedora, Kubernetes | 2026-06-17 | 2.1 LOW | 2.6 LOW |
| Improper validation of URL redirection in the Kubernetes API server in versions prior to v1.14.0 allows an attacker-controlled Kubelet to redirect API server requests from streaming endpoints to arbitrary hosts. Impacted API servers will follow the redirect as a GET request with client-certificate credentials for authenticating to the Kubelet. | |||||
| CVE-2018-1002101 | 1 Kubernetes | 1 Kubernetes | 2026-06-17 | 7.5 HIGH | 5.9 MEDIUM |
| In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection. | |||||
| CVE-2018-1002100 | 1 Kubernetes | 1 Kubernetes | 2026-06-17 | 3.6 LOW | 4.2 MEDIUM |
| In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files. | |||||
| CVE-2018-1000400 | 1 Kubernetes | 1 Cri-o | 2026-06-17 | 6.5 MEDIUM | 8.8 HIGH |
| Kubernetes CRI-O version prior to 1.9 contains a Privilege Context Switching Error (CWE-270) vulnerability in the handling of ambient capabilities that can result in containers running with elevated privileges, allowing users abilities they should not have. This attack appears to be exploitable via container execution. This vulnerability appears to have been fixed in 1.9. | |||||
| CVE-2017-1002102 | 1 Kubernetes | 1 Kubernetes | 2026-06-17 | 6.3 MEDIUM | 7.1 HIGH |
| In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running. | |||||
| CVE-2017-1002101 | 1 Kubernetes | 1 Kubernetes | 2026-06-17 | 5.5 MEDIUM | 8.8 HIGH |
| In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem. | |||||
| CVE-2017-1002100 | 1 Kubernetes | 1 Kubernetes | 2026-06-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to "container" which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal. | |||||
| CVE-2017-1000056 | 1 Kubernetes | 1 Kubernetes | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability to make use of any existing PodSecurityPolicy object. | |||||
| CVE-2016-7075 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift | 2026-06-17 | 6.8 MEDIUM | 7.5 HIGH |
| It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authentication requirements by using a specially crafted X.509 certificate. | |||||
| CVE-2016-1906 | 1 Kubernetes | 1 Kubernetes | 2026-06-17 | 10.0 HIGH | 9.8 CRITICAL |
| Openshift allows remote attackers to gain privileges by updating a build configuration that was created with an allowed type to a type that is not allowed. | |||||
| CVE-2016-1905 | 1 Kubernetes | 1 Kubernetes | 2026-06-17 | 4.0 MEDIUM | 7.7 HIGH |
| The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object. | |||||
| CVE-2015-7561 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift | 2026-06-17 | 3.5 LOW | 3.1 LOW |
| Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image. | |||||
| CVE-2015-7528 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift | 2026-06-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitrary pod logs via a container name. | |||||
| CVE-2026-4342 | 1 Kubernetes | 1 Nginx Ingress Controller | 2026-05-19 | N/A | 8.8 HIGH |
| A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | |||||
| CVE-2026-33519 | 4 Esri, Kubernetes, Linux and 1 more | 4 Portal For Arcgis, Kubernetes, Linux Kernel and 1 more | 2026-05-18 | N/A | 9.8 CRITICAL |
| An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials. | |||||