Kubernetes Official CVE Feed

Node setting allows for neighboring hosts to bypass localhost boundary

Half-Blind SSRF in kube-controller-manager

IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements

kube-apiserver Denial of Service vulnerability from malicious YAML payloads

apiserver DoS (oom)

Kubelet DoS via API

ingress-nginx auth-type basic annotation vulnerability

kubectl cp symlink vulnerability

Unvalidated redirect

CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation

Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack

Bearer tokens are revealed in logs (audit finding TOB-K8S-001)

/debug/pprof exposed on kubelet's healthz port

Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal

API server allows access to custom resources via wrong scope

container uid changes to root after first restart or if image is already pulled to the node

rest.AnonymousClientConfig() does not remove the serviceaccount credentials from config created by rest.InClusterConfig()

`kubectl --http-cache=<world-accessible dir>` creates world-writeable cached schema files

json-patch requests can exhaust apiserver resources

proxy request handling in kube-apiserver can leave vulnerable TCP connections