PT-2017-11019 · Microsoft · Kubernetes Azure Cloud Provider
Brandon Philips
·
Publicado
2017-09-14
·
Atualizado
2017-09-29
·
CVE-2017-1002100
CVSS v3.1
6.5
Média
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Kubernetes Azure cloud provider versions 1.6.0 through 1.6.5
Description
The issue concerns the default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider. These permissions are set to "container", which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal.
Recommendations
For versions 1.6.0 through 1.6.5, consider restricting access to the exposed URI to prevent unauthorized access until a fix is available. As a temporary workaround, limit privileged access to the Kubernetes cluster and authenticated access to the Azure portal to minimize the risk of exploitation.
Correção
Information Disclosure
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Kubernetes Azure Cloud Provider