Description
Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to "container" which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://groups.google.com/d/msg/kubernetes-security-announce/n3VBg_WJZic/-ddIqKXqAAAJ
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/kubernetes/kubernetes/issues/47611
Scores
CVSS v3
6.5
EPSS
0.0133
EPSS Percentile
67.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (8)
kubernetes/kubernetes
1.6.0 (11 CPE variants)
kubernetes/kubernetes
1.6.1 (2 CPE variants)
kubernetes/kubernetes
1.6.2 (2 CPE variants)
kubernetes/kubernetes
1.6.3 (3 CPE variants)
kubernetes/kubernetes
1.6.4 (3 CPE variants)
kubernetes/kubernetes
1.6.5 (2 CPE variants)
Kubernetes/Kubernetes
unspecified - v1.6.5
Kubernetes/Kubernetes
v1.6.0 - unspecified
Published
Sep 14, 2017
Tracked Since
Feb 18, 2026