k8s.io/kubernetes (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package k8s.io/kubernetes, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (50)
CVE-2017-1000056 — CVSS 9.8 (critical): Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability…
CVE-2023-3676 — CVSS 8.8 (high): A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin…
CVE-2021-25741 — CVSS 8.8 (high): A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files &…
CVE-2023-3955 — CVSS 8.8 (high): A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin…
CVE-2019-11243 — CVSS 8.1 (high): In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials…
CVE-2024-0793 — CVSS 7.7 (high): A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lacking a…
CVE-2019-11253 — CVSS 7.5 (high): Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2…
CVE-2023-5528 — CVSS 7.2 (high): A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to…
CVE-2017-1002102 — CVSS 7.1 (high): In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap…
CVE-2025-5187 — CVSS 6.7 (medium): A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding…
CVE-2022-3294 — CVSS 6.6 (medium): Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can…
CVE-2022-3162 — CVSS 6.5 (medium): Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the…
CVE-2019-1002100 — CVSS 6.5 (medium): In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API…
CVE-2019-11250 — CVSS 6.5 (medium): The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized…
CVE-2021-25735 — CVSS 6.5 (medium): A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only…
CVE-2023-2727 — CVSS 6.5 (medium): Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes…
CVE-2023-2728 — CVSS 6.5 (medium): Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using…
CVE-2025-1767 — CVSS 6.5 (medium): This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same…
CVE-2020-8559 — CVSS 6.4 (medium): The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated…
CVE-2019-1002101 — CVSS 6.4 (medium): The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a…
CVE-2015-5305 — CVSS 6.4 (medium): Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files…
CVE-2020-8555 — CVSS 6.3 (medium): The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are…
CVE-2020-8554 — CVSS 6.3 (medium): Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to…
CVE-2025-0426 — CVSS 6.2 (medium): A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet…
CVE-2024-5321 — CVSS 6.1 (medium): A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and NT…
CVE-2018-1002101 — CVSS 5.9 (medium): In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on…
CVE-2024-9042 — CVSS 5.9 (medium): This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions…
CVE-2021-25736 — CVSS 5.8 (medium): Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].port”) as a…
CVE-2025-13281 — CVSS 5.8 (medium): A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx…
CVE-2020-8557 — CVSS 5.5 (medium): The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which…
CVE-2020-8558 — CVSS 5.4 (medium): The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue…
CVE-2019-11245 — CVSS 4.9 (medium): In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container…
CVE-2019-11251 — CVSS 4.8 (medium): The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two…
CVE-2020-8564 — CVSS 4.7 (medium): In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the…
CVE-2020-8566 — CVSS 4.7 (medium): In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to…
CVE-2020-8565 — CVSS 4.7 (medium): In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both…
CVE-2020-8563 — CVSS 4.7 (medium): In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked…
CVE-2020-8551 — CVSS 4.3 (medium): The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service…
CVE-2018-1002100 — CVSS 4.2 (medium): In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned…
CVE-2020-8561 — CVSS 4.1 (medium): A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or…
CVE-2023-2431 — CVSS 3.4 (low): A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for…
CVE-2021-25740 — CVSS 3.1 (low): A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have…
CVE-2024-7598 — CVSS 3.1 (low): A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network…
CVE-2015-7561 — CVSS 3.1 (low): Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image.
CVE-2021-25743 — CVSS 3.0 (low): kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not…
CVE-2024-3177 — CVSS 2.7 (low): A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy…
CVE-2025-4563 — CVSS 2.7 (low): A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks…
CVE-2021-25737 — CVSS 2.7 (low): A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes…
CVE-2020-8562 — CVSS 2.2 (low): As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or…