Vulnerability Details : CVE-2018-1000400
Kubernetes CRI-O version prior to 1.9 contains a Privilege Context Switching Error (CWE-270) vulnerability in the handling of ambient capabilities that can result in containers running with elevated privileges, allowing users abilities they should not have. This attack appears to be exploitable via container execution. This vulnerability appears to have been fixed in 1.9.
Products affected by CVE-2018-1000400
- cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-1000400
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 49 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1000400
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2018-1000400
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1000400
-
https://github.com/kubernetes-incubator/cri-o/pull/1558/files
[1.9] Remove ambient capabilities by mrunalp · Pull Request #1558 · cri-o/cri-o · GitHubPatch;Third Party Advisory
-
http://www.securityfocus.com/bid/104262
Kubernetes CRI-O CVE-2018-1000400 Remote Privilege Escalation VulnerabilityThird Party Advisory;VDB Entry
Jump to