CVE-2026-4342

< 1.13.9

A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration in

8.8HIGH

CVE-2026-3288

< 1.13.8

A security issue was discovered in ingress-nginx where the nginx.ingress.kubernetes.io/rewrite-target Ingress annotation can be

8.8HIGH

CVE-2024-5154

all versions

A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal

8.1HIGH

CVE-2023-5528

>= 1.8.0 and < 1.25.16

A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be abl

7.2HIGH

CVE-2022-3172

<= 1.21.14

A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. Th

5.1MEDIUM

CVE-2023-3955

< 1.24.17

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin

8.8HIGH

CVE-2023-3676

< 1.24.17

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin

8.8HIGH

CVE-2021-25736

>= 1.18.0 and < 1.18.18

Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].portâ€

5.8MEDIUM

CVE-2023-5044

< 1.9.0

Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.

7.6HIGH

CVE-2023-5043

< 1.9.0

Ingress nginx annotation injection causes arbitrary command execution.

7.6HIGH

CVE-2022-4886

< 1.8.0

Ingress-nginx path sanitization can be bypassed with log_format directive.

8.8HIGH

CVE-2022-4318

all versions

A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially craft

7.8HIGH

CVE-2022-3466

all versions

The version of cri-o as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31, and 4.11.6 via RHBA-2022:6316, RHBA-202

4.8MEDIUM

CVE-2023-2728

<= 1.24.14

Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin wh

6.5MEDIUM

CVE-2023-2727

<= 1.24.14

Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kub

6.5MEDIUM

CVE-2023-2431

< 1.24.14

A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost typ

3.4LOW

CVE-2023-1944

<= 1.29.0

This vulnerability enables ssh access to minikube container using a default password.

8.4HIGH

CVE-2023-1174

all versions

This vulnerability exposes a network port in minikube running on macOS with Docker driver that could enable unexpected remote acce

9.8CRITICAL

CVE-2021-25749

>= 1.20.0 and <= 1.21.0

Windows workloads can run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true.

7.8HIGH

CVE-2021-25748

< 1.2.1

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline characte

7.6HIGH

CVE-2023-30513

<= 3909.v1f2c633e8590

Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e., replace with asterisks) credentials in the

7.5HIGH

CVE-2022-3294

< 1.22.16

Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user

6.6MEDIUM

CVE-2022-3162

<= 1.22.15

Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different typ

6.5MEDIUM

CVE-2022-2995

all versions

Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or pos

7.1HIGH

CVE-2022-2385

>= 0.5.2 and < 0.5.9

A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username a

8.1HIGH

CVE-2022-1708

< 1.19.7

A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API.

7.5HIGH

CVE-2021-25746

< 1.2.0

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotati

7.6HIGH

CVE-2021-25745

< 1.2.0

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].h

7.6HIGH

CVE-2022-27652

all versions

A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found

5.3MEDIUM

CVE-2022-0811

>= 1.19.0 and < 1.19.6

A flaw was found in CRI-O in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Ku

8.8HIGH

CVE-2022-0532

<= 1.18

An incorrect sysctls validation vulnerability was found in CRI-O 1.18 and earlier. The sysctls from the list of "safe" sysctls spe

4.2MEDIUM

CVE-2020-8562

<= 1.18.18

As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-loc

2.2LOW

CVE-2021-25743

<= 1.25.0

kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes bu

3.0LOW

CVE-2021-25742

< 0.49.1

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippet

7.6HIGH

CVE-2021-25738

<= 9.0.2

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

6.7MEDIUM

CVE-2021-25741

<= 1.19.14

A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access

8.8HIGH

CVE-2021-25740

all versions

A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise

3.1LOW

CVE-2020-8561

all versions

A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or Validatin

4.1MEDIUM

CVE-2021-25737

>= 1.16.0 and < 1.18.19

A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kube

2.7LOW

CVE-2021-25735

< 1.18.18

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters

6.5MEDIUM

CVE-2021-21661

<= 1.10.0

Jenkins Kubernetes CLI Plugin 1.10.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers

4.3MEDIUM

CVE-2020-8570

< 9.0.2

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current direct

9.1CRITICAL

CVE-2020-8554

all versions

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs fie

6.3MEDIUM

CVE-2020-8566

>= 1.17.0 and < 1.17.13

In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be wr

4.7MEDIUM

CVE-2020-8565

>= 1.17.0 and <= 1.17.13

In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can o

4.7MEDIUM

CVE-2020-8564

>= 1.17.0 and < 1.17.13

In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents

4.7MEDIUM

CVE-2020-8563

< 1.19.3

In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will b

4.7MEDIUM

CVE-2020-2309

<= 1.27.3

A missing/An incorrect permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permiss

4.3MEDIUM

CVE-2020-2308

<= 1.27.3

A missing permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to list g

4.3MEDIUM

CVE-2020-2307

<= 1.27.3

Jenkins Kubernetes Plugin 1.27.3 and earlier allows low-privilege users to access possibly sensitive Jenkins controller environmen

4.3MEDIUM

CVE-2020-8553

< 0.28.0

The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and

5.9MEDIUM

CVE-2020-8558

>= 1.1.0 and <= 1.16.10

The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security

5.4MEDIUM

CVE-2020-8557

< 1.16.13

The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod w

5.5MEDIUM

CVE-2019-11252

>= 1.0.0 and <= 1.17.0

The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount fa

5.9MEDIUM

CVE-2020-8559

>= 1.6.0 and <= 1.15.0

The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unv

6.4MEDIUM

CVE-2020-8555

< 1.15.11

The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 ar

6.3MEDIUM

CVE-2019-11254

< 1.15.10

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized us

6.5MEDIUM

CVE-2020-8552

<= 1.15.9

The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable

5.3MEDIUM

CVE-2020-8551

>= 1.15.0 and <= 1.15.9

The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of s

4.3MEDIUM

CVE-2019-11251

>= 1.13.0 and < 1.13.11

The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of

4.8MEDIUM

CVE-2018-1002102

>= 1.10.0 and <= 1.13.13

Improper validation of URL redirection in the Kubernetes API server in versions prior to v1.14.0 allows an attacker-controlled Kub

2.6LOW

CVE-2019-14891

< 1.16.1

A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in con

5.0MEDIUM

CVE-2019-11253

>= 1.1.0 and <= 1.12.10

Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and

7.5HIGH

CVE-2019-11250

< 1.15.3

The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unautho

6.5MEDIUM

CVE-2019-11249

>= 1.0.0 and <= 1.12.10

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes ru

6.5MEDIUM

CVE-2019-11248

< 1.12.10

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed ove

8.2HIGH

CVE-2019-11247

>= 1.7.0 and <= 1.12.10

The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resour

8.1HIGH

CVE-2019-11246

>= 1.0.0 and <= 1.12.10

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes ru

6.5MEDIUM

CVE-2019-11245

all versions

In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on co

4.9MEDIUM

CVE-2019-11244

>= 1.8.0 and <= 1.14.1

In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube

5.0MEDIUM

CVE-2019-11243

>= 1.12.0 and <= 1.12.4

In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with cre

8.1HIGH

CVE-2019-9946

< 1.11.9

Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which

7.5HIGH

CVE-2019-1002101

>= 1.11.0 and < 1.11.9

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes cr

6.4MEDIUM

CVE-2019-1002100

< 1.11.8

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kuberne

6.5MEDIUM

CVE-2018-1002105

>= 1.0.0 and <= 1.9.11

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade reque

9.8CRITICAL

CVE-2018-1002103

>= 0.3.0 and <= 0.29.0

In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000. In VM environme

8.1HIGH

CVE-2018-1002101

>= 1.9.0 and <= 1.9.9

In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mo

5.9MEDIUM

CVE-2016-7075

all versions

It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X.509 client intermediate certificate ho

7.5HIGH

CVE-2018-1999040

<= 1.10.1

An exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.10.1 and earlier in KubernetesCloud.java

8.8HIGH

CVE-2018-1000187

<= 1.7.0

A exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.7.0 and older in ContainerExecDecorator.ja

6.5MEDIUM

CVE-2018-1002100

>= 1.5.0 and <= 1.5.9

In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data

4.2MEDIUM

CVE-2018-1000400

< 1.9.0

Kubernetes CRI-O version prior to 1.9 contains a Privilege Context Switching Error (CWE-270) vulnerability in the handling of ambi

8.8HIGH

CVE-2017-1002102

>= 1.3.0 and <= 1.3.10

In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configM

7.1HIGH

CVE-2017-1002101

>= 1.3.0 and <= 1.3.10

In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mo

8.8HIGH

CVE-2017-1002100

all versions

Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5

6.5MEDIUM

CVE-2015-7561

all versions

Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of s

3.1LOW

CVE-2017-1000056

all versions

Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the

9.8CRITICAL

CVE-2015-7528

<= 1.2.0

Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitrary pod logs via a container name.

5.3MEDIUM

CVE-2016-1906

all versions

Openshift allows remote attackers to gain privileges by updating a build configuration that was created with an allowed type to a

9.8CRITICAL

CVE-2016-1905

all versions

The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access addition

7.7HIGH