rpm package
suse/kubernetes1.23&distro=SUSE Enterprise Storage 7.1
pkg:rpm/suse/kubernetes1.23&distro=SUSE%20Enterprise%20Storage%207.1
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-22872 | Med | 6.5 | < 1.23.17-150300.7.12.1 | 1.23.17-150300.7.12.1 | Apr 16, 2025 | The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul | |
| CVE-2024-0793 | Hig | 7.7 | < 1.23.17-150300.7.12.1 | 1.23.17-150300.7.12.1 | Nov 17, 2024 | A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lacking a .spec.behavior.scaleUp block causes a denial of service due to KCM pods going into restart churn. | |
| CVE-2024-3177 | Low | 2.7 | < 1.23.17-150300.7.12.1 | 1.23.17-150300.7.12.1 | Apr 22, 2024 | A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. T | |
| CVE-2023-2728 | — | < 1.23.17-150300.7.9.1 | 1.23.17-150300.7.9.1 | Jul 3, 2023 | Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s se | ||
| CVE-2023-2727 | — | < 1.23.17-150300.7.9.1 | 1.23.17-150300.7.9.1 | Jul 3, 2023 | Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. | ||
| CVE-2023-2431 | — | < 1.23.17-150300.7.12.1 | 1.23.17-150300.7.12.1 | Jun 16, 2023 | A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in un | ||
| CVE-2021-25749 | — | < 1.23.17-150300.7.6.1 | 1.23.17-150300.7.6.1 | May 24, 2023 | Windows workloads can run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true. | ||
| CVE-2022-3294 | — | < 1.23.17-150300.7.6.1 | 1.23.17-150300.7.6.1 | Mar 1, 2023 | Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoint | ||
| CVE-2022-3162 | — | < 1.23.17-150300.7.6.1 | 1.23.17-150300.7.6.1 | Mar 1, 2023 | Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomRes | ||
| CVE-2021-25743 | — | < 1.23.17-150300.7.12.1 | 1.23.17-150300.7.12.1 | Jan 7, 2022 | kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events. |
- affected < 1.23.17-150300.7.12.1fixed 1.23.17-150300.7.12.1
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
- affected < 1.23.17-150300.7.12.1fixed 1.23.17-150300.7.12.1
A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lacking a .spec.behavior.scaleUp block causes a denial of service due to KCM pods going into restart churn.
- affected < 1.23.17-150300.7.12.1fixed 1.23.17-150300.7.12.1
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. T
- CVE-2023-2728Jul 3, 2023affected < 1.23.17-150300.7.9.1fixed 1.23.17-150300.7.9.1
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s se
- CVE-2023-2727Jul 3, 2023affected < 1.23.17-150300.7.9.1fixed 1.23.17-150300.7.9.1
Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
- CVE-2023-2431Jun 16, 2023affected < 1.23.17-150300.7.12.1fixed 1.23.17-150300.7.12.1
A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in un
- CVE-2021-25749May 24, 2023affected < 1.23.17-150300.7.6.1fixed 1.23.17-150300.7.6.1
Windows workloads can run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true.
- CVE-2022-3294Mar 1, 2023affected < 1.23.17-150300.7.6.1fixed 1.23.17-150300.7.6.1
Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoint
- CVE-2022-3162Mar 1, 2023affected < 1.23.17-150300.7.6.1fixed 1.23.17-150300.7.6.1
Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomRes
- CVE-2021-25743Jan 7, 2022affected < 1.23.17-150300.7.12.1fixed 1.23.17-150300.7.12.1
kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events.