Description
Kubernetes CRI-O version prior to 1.9 contains a Privilege Context Switching Error (CWE-270) vulnerability in the handling of ambient capabilities that can result in containers running with elevated privileges, allowing users abilities they should not have. This attack appears to be exploitable via container execution. This vulnerability appears to have been fixed in 1.9.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/kubernetes-incubator/cri-o/pull/1558/files
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/104262
Scores
CVSS v3
8.8
EPSS
0.0211
EPSS Percentile
79.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-269
Status
published
Products (1)
kubernetes/cri-o
< 1.9.0
Published
May 18, 2018
Tracked Since
Feb 18, 2026