All errata/p9/ALT-PU-2020-2338-2
ALT-PU-2020-2338-2

Package update kubernetes in branch p9

Version1.18.5-alt1
Task#254411
Published2026-02-04
Max severityHIGH
Severity:

Closed issues (11)

CVE-2019-11254
MEDIUM6.5

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

Published: 2020-04-01Modified: 2024-11-21
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References
CVE-2020-8551
MEDIUM6.5

The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.

Published: 2020-03-27Modified: 2024-11-21
CVSS 2.0LOW 3.3
CVSS:2.0/AV:A/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2020-8552
MEDIUM4.3

The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests.

Published: 2020-03-27Modified: 2024-11-21
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS 3.xMEDIUM 4.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
References
CVE-2020-8555
MEDIUM6.3

The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).

Published: 2020-06-05Modified: 2024-11-21
CVSS 2.0LOW 3.5
CVSS:2.0/AV:N/AC:M/Au:S/C:P/I:N/A:N
CVSS 3.xMEDIUM 6.3
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
References
CVE-2020-8558
HIGH8.8

The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.

Published: 2020-07-27Modified: 2024-11-21
CVSS 2.0MEDIUM 5.8
CVSS:2.0/AV:A/AC:L/Au:N/C:P/I:P/A:P
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
GHSA-82hx-w2r5-c2wq
MEDIUM5.3

Kubernetes API Server DoS Via API Requests

Published: 2022-02-15Modified: 2023-09-21
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References
GHSA-qhm4-jxv7-j9pq
MEDIUM4.3

Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes

Published: 2022-02-15Modified: 2023-01-28
CVSS 3.xMEDIUM 4.3
CVSS:3.x/CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References
GHSA-wqv3-8cm6-h6wg
HIGH8.8

Improper Authentication in Kubernetes

Published: 2022-02-15Modified: 2023-01-07
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
GHSA-wxc4-f4m6-wwqv
MEDIUM6.5

Excessive Platform Resource Consumption within a Loop in Kubernetes

Published: 2021-12-20Modified: 2023-02-09
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References
GHSA-x6mj-w4jf-jmgw
MEDIUM6.3

Server Side Request Forgery (SSRF) in Kubernetes

Published: 2022-02-15Modified: 2023-09-19
CVSS 3.xMEDIUM 6.3
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
References