k8s.io/KUBERNETES-v1.15.9: 5 vulnerabilities (highest severity is: 8.1) #1192
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Production-Grade Container Scheduling and Management
Library home page: https://proxy.golang.org/k8s.io/!k!u!b!e!r!n!e!t!e!s/@v/v1.15.9.zip
Path to dependency file: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Path to vulnerable library: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - k8s.io/KUBERNETES-v1.15.9
Production-Grade Container Scheduling and Management
Library home page: https://proxy.golang.org/k8s.io/!k!u!b!e!r!n!e!t!e!s/@v/v1.15.9.zip
Path to dependency file: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Path to vulnerable library: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
A security vulnerability was discovered in Kubernetes that could allow a
user with the ability to create a pod and associate a gitRepo volume to
execute arbitrary commands beyond the container boundary. This
vulnerability leverages the hooks folder in the target repository to run
arbitrary commands outside of the container's boundary.
Publish Date: 2024-11-22
URL: CVE-2024-10220
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2024/q4/109
Release Date: 2024-11-19
Fix Resolution: github.com/kubernetes/kubernetes-v1.28.12,v1.29.7,v1.30.3
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - k8s.io/KUBERNETES-v1.15.9
Production-Grade Container Scheduling and Management
Library home page: https://proxy.golang.org/k8s.io/!k!u!b!e!r!n!e!t!e!s/@v/v1.15.9.zip
Path to dependency file: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Path to vulnerable library: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lacking a .spec.behavior.scaleUp block causes a denial of service due to KCM pods going into restart churn.
Publish Date: 2024-11-17
URL: CVE-2024-0793
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2024-11-17
Fix Resolution: github.com/openshift/kubernetes-8f8514080eaed5bdcbaa67a02d7314440aac5ec4
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - k8s.io/KUBERNETES-v1.15.9
Production-Grade Container Scheduling and Management
Library home page: https://proxy.golang.org/k8s.io/!k!u!b!e!r!n!e!t!e!s/@v/v1.15.9.zip
Path to dependency file: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Path to vulnerable library: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).
Publish Date: 2020-06-04
URL: CVE-2020-8555
CVSS 3 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-06-05
Fix Resolution: v1.18.1,v1.17.5,v1.16.9,v1.15.12
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - k8s.io/KUBERNETES-v1.15.9
Production-Grade Container Scheduling and Management
Library home page: https://proxy.golang.org/k8s.io/!k!u!b!e!r!n!e!t!e!s/@v/v1.15.9.zip
Path to dependency file: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Path to vulnerable library: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes.
Publish Date: 2020-07-23
URL: CVE-2019-11252
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11252
Release Date: 2020-07-28
Fix Resolution: v1.18.0-beta.2
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - k8s.io/KUBERNETES-v1.15.9
Production-Grade Container Scheduling and Management
Library home page: https://proxy.golang.org/k8s.io/!k!u!b!e!r!n!e!t!e!s/@v/v1.15.9.zip
Path to dependency file: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Path to vulnerable library: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700).
Publish Date: 2020-08-05
URL: CVE-2020-15113
CVSS 3 Score Details (5.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-08-05
Fix Resolution: 3.4.10, 3.3.23
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: