diff --git a/content/en/blog/_posts/2022-10-05-current-state-2019-third-party-audit.md b/content/en/blog/_posts/2022-10-05-current-state-2019-third-party-audit.md index 1588b31e76..d7a7effe87 100644 --- a/content/en/blog/_posts/2022-10-05-current-state-2019-third-party-audit.md +++ b/content/en/blog/_posts/2022-10-05-current-state-2019-third-party-audit.md @@ -38,11 +38,11 @@ commenting directly on the relevant issue. | **\#** | **Title** | **Issue** | **Status** | | ------ | ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| 1 | hostPath PersistentVolumes enable PodSecurityPolicy bypass | [#81110](https://github.com/kubernetes/kubernetes/issues/81110) | closed, addressed by [kubernetes/website#15756](https://github.com/kubernetes/website/pull/15756) | +| 1 | hostPath PersistentVolumes enable PodSecurityPolicy bypass | [#81110](https://github.com/kubernetes/kubernetes/issues/81110) | closed, addressed by [kubernetes/website#15756](https://github.com/kubernetes/website/pull/15756) and [kubernetes/kubernetes#109798](https://github.com/kubernetes/kubernetes/pull/109798) | | 2 | Kubernetes does not facilitate certificate revocation | [#81111](https://github.com/kubernetes/kubernetes/issues/81111) | duplicate of [#18982](https://github.com/kubernetes/kubernetes/issues/18982) and **needs a KEP** | | 3 | HTTPS connections are not authenticated | [#81112](https://github.com/kubernetes/kubernetes/issues/81112) | Largely left as an end user exercise in setting up the right configuration | | 4 | TOCTOU when moving PID to manager's cgroup via kubelet | [#81113](https://github.com/kubernetes/kubernetes/issues/81113) | Requires Node access for successful exploitation. Fix needed | -| 5 | Improperly patched directory traversal in kubectl cp | [#76788](https://github.com/kubernetes/kubernetes/pull/76788) | closed, assigned [CVE-2019-11249](https://github.com/advisories/GHSA-v8c4-hw4j-x4pr), fixed in [#80436](https://github.com/kubernetes/kubernetes/pull/80436) | +| 5 | Improperly patched directory traversal in `kubectl cp` | [#76788](https://github.com/kubernetes/kubernetes/pull/76788) | closed, assigned [CVE-2019-11249](https://github.com/advisories/GHSA-v8c4-hw4j-x4pr), fixed in [#80436](https://github.com/kubernetes/kubernetes/pull/80436) | | 6 | Bearer tokens are revealed in logs | [#81114](https://github.com/kubernetes/kubernetes/issues/81114) | closed, assigned [CVE-2019-11250](https://github.com/advisories/GHSA-jmrx-5g74-6v2f), fixed in [#81330](https://github.com/kubernetes/kubernetes/pull/81330) | | 7 | Seccomp is disabled by default | [#81115](https://github.com/kubernetes/kubernetes/issues/81115) | closed, addressed by [#101943](https://github.com/kubernetes/kubernetes/pull/101943) | | 8 | Pervasive world-accessible file permissions | [#81116](https://github.com/kubernetes/kubernetes/issues/81116) | [#112384](https://github.com/kubernetes/kubernetes/pull/112384) ( in progress) | @@ -121,7 +121,7 @@ benefits to fix a particular issue higher or lower. | ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | --------------- | ---------- | -------------------- | | Kubernetes does not facilitate certificate revocation | [#81111](https://github.com/kubernetes/kubernetes/issues/81111) | High | High | Medium | | Use of InsecureSkipVerify and other TLS weaknesses | [#81119](https://github.com/kubernetes/kubernetes/issues/81119) | High | High | Medium | -| Kubectl can cause a local Out Of Memory error with a malicious Pod specification | [#81123](https://github.com/kubernetes/kubernetes/issues/81123) | Medium | Medium | Medium | +| `kubectl` can cause a local Out Of Memory error with a malicious Pod specification | [#81123](https://github.com/kubernetes/kubernetes/issues/81123) | Medium | Medium | Medium | | Improper fetching of PIDs allows incorrect cgroup movement | [#81124](https://github.com/kubernetes/kubernetes/issues/81124) | Medium | Medium | Medium | | kubelet liveness probes can be used to enumerate host network | [#81129](https://github.com/kubernetes/kubernetes/issues/81129) | High | High | Medium | | API Server supports insecure TLS ciphersuites | [#81145](https://github.com/kubernetes/kubernetes/issues/81145) | Medium | Medium | Low |