Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-1000400

Kubernetes CRI-O version prior to 1.9 contains a Privilege Context Switching Error (CWE-270) vulnerability in the handling of ambient capabilities that can result in containers running with elevated privileges, allowing users abilities they should not have. This attack appears to be exploitable via container execution. This vulnerability appears to have been fixed in 1.9.

Published

2018-05-18T18:29:00.233

Last Modified

2024-11-21T03:39:59.210

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-269

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	kubernetes	cri-o	< 1.9.0	Yes

References

http://www.securityfocus.com/bid/104262 Third Party Advisory, VDB Entry ([email protected])
https://github.com/kubernetes-incubator/cri-o/pull/1558/files Patch, Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/104262 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/kubernetes-incubator/cri-o/pull/1558/files Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)