CVE-2017-1002100

MEDIUM

Kubernetes Azure <1.6.5 - Info Disclosure

Title source: llm
STIX 2.1

Description

Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to "container" which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal.

References (2)

Core 2
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/kubernetes/kubernetes/issues/47611

Scores

CVSS v3 6.5
EPSS 0.0133
EPSS Percentile 67.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (8)
kubernetes/kubernetes 1.6.0 (11 CPE variants)
kubernetes/kubernetes 1.6.1 (2 CPE variants)
kubernetes/kubernetes 1.6.2 (2 CPE variants)
kubernetes/kubernetes 1.6.3 (3 CPE variants)
kubernetes/kubernetes 1.6.4 (3 CPE variants)
kubernetes/kubernetes 1.6.5 (2 CPE variants)
Kubernetes/Kubernetes unspecified - v1.6.5
Kubernetes/Kubernetes v1.6.0 - unspecified
Published Sep 14, 2017
Tracked Since Feb 18, 2026