k8s.io/kuberneteS-v1.15.9: 2 vulnerabilities (highest severity is: 6.6) #60
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
dev-mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
dev-mend-for-github-com
bot
changed the title
dev-mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Production-Grade Container Scheduling and Management
Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.15.9.zip
Path to dependency file: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Path to vulnerable library: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - k8s.io/kuberneteS-v1.15.9
Production-Grade Container Scheduling and Management
Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.15.9.zip
Path to dependency file: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Path to vulnerable library: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.
Publish Date: 2023-03-01
URL: CVE-2022-3294
CVSS 3 Score Details (6.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Vulnerable Library - k8s.io/kuberneteS-v1.15.9
Production-Grade Container Scheduling and Management
Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.15.9.zip
Path to dependency file: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Path to vulnerable library: /go_modules/spec/fixtures/projects/repo_not_found/go.mod
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
Publish Date: 2023-07-03
URL: CVE-2023-2727
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.The text was updated successfully, but these errors were encountered: