官方 CVE 订阅源
特性状态:
Kubernetes v1.25 [alpha]
这是由 Kubernetes 安全响应委员会(Security Response Committee, SRC)公布的经社区维护的官方 CVE 列表。 更多细节请参阅 Kubernetes 安全和信息披露。
Kubernetes 项目就已发布的安全问题发布了一个可使用程序访问的 JSON Feed。 你可以通过执行以下命令来查阅这些安全问题:
curl -Lv https://k8s.io/docs/reference/issues-security/official-cve-feed/index.json
| CVE ID | 问题描述 | CVE GitHub Issue URL |
|---|---|---|
| CVE-2022-3172 | Aggregated API server can cause clients to be redirected (SSRF) | #112513 |
| CVE-2021-25749 | `runAsNonRoot` logic bypass for Windows containers | #112192 |
| CVE-2021-25741 | Symlink Exchange Can Allow Host Filesystem Access | #104980 |
| CVE-2021-25737 | Holes in EndpointSlice Validation Enable Host Network Hijack | #102106 |
| CVE-2021-25735 | Validating Admission Webhook does not observe some previous fields | #100096 |
| CVE-2020-8554 | Man in the middle using LoadBalancer or ExternalIPs | #97076 |
| CVE-2020-8566 | Ceph RBD adminSecrets exposed in logs when loglevel >= 4 | #95624 |
| CVE-2020-8565 | Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 | #95623 |
| CVE-2020-8564 | Docker config secrets leaked when file is malformed and log level >= 4 | #95622 |
| CVE-2020-8563 | Secret leaks in kube-controller-manager when using vSphere provider | #95621 |
| CVE-2020-8557 | Node disk DOS by writing to container /etc/hosts | #93032 |
| CVE-2020-8559 | Privilege escalation from compromised node to cluster | #92914 |
| CVE-2020-8558 | Node setting allows for neighboring hosts to bypass localhost boundary | #92315 |
| CVE-2020-8555 | Half-Blind SSRF in kube-controller-manager | #91542 |
| CVE-2020-10749 | IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements | #91507 |
| CVE-2019-11254 | kube-apiserver Denial of Service vulnerability from malicious YAML payloads | #89535 |
| CVE-2020-8552 | apiserver DoS (oom) | #89378 |
| CVE-2020-8551 | Kubelet DoS via API | #89377 |
| CVE-2018-1002102 | Unvalidated redirect | #85867 |
| CVE-2019-11248 | /debug/pprof exposed on kubelet's healthz port | #81023 |
| CVE-2019-11249 | Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal | #80984 |
| CVE-2019-11247 | API server allows access to custom resources via wrong scope | #80983 |
| CVE-2019-11243 | rest.AnonymousClientConfig() does not remove the serviceaccount credentials from config created by rest.InClusterConfig() | #76797 |
| CVE-2019-1002100 | json-patch requests can exhaust apiserver resources | #74534 |
| CVE-2018-1002105 | proxy request handling in kube-apiserver can leave vulnerable TCP connections | #71411 |
| CVE-2017-1002102 | atomic writer volume handling allows arbitrary file deletion in host filesystem | #60814 |
| CVE-2017-1002101 | subpath volume mount handling allows arbitrary file access in host filesystem | #60813 |
| CVE-2017-1000056 | PodSecurityPolicy admission plugin authorizes incorrectly | #43459 |
此订阅源会自动刷新,但从宣布 CVE 到可在此订阅源中找到对应的 CVE 会有一个明显却很小的延迟(几分钟到几小时)。
此订阅源的真实来源是一组 GitHub Issue,通过受控和受限的标签 official-cve-feed 进行过滤。
原始数据存放在 Google Cloud Bucket 中,只有社区少数受信任的成员可以写入。
最后修改 August 28, 2022 at 11:50 AM PST: [zh] updated official-cve-feed.md (125637f673)