CVE-2016-1905
high
CVSS v3
7.7
CVSS v2
4.0
VIR risk
7.7
Description
The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object.
Predictions
Exploit likelihood
85%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-1905
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 0 |
| debian | sid | fixed | 0 |
| debian | trixie | fixed | 0 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | github.com/kubernetes/kubernetes | <1.2.0-alpha.6 | 1.2.0-alpha.6 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| kubernetes | kubernetes | - | |
References
- https://access.redhat.com/errata/RHSA-2016:0070
- https://github.com/kubernetes/kubernetes/issues/19479
- https://nvd.nist.gov/vuln/detail/CVE-2016-1905
- https://github.com/kubernetes/kubernetes/commit/9e6912384a5bc714f2a780b870944a8cee264a22
- https://access.redhat.com/errata/RHSA-2016:0351
- https://access.redhat.com/security/cve/CVE-2016-1905
- https://bugzilla.redhat.com/show_bug.cgi?id=1297910
- https://github.com/advisories/GHSA-xx8c-m748-xr4j
- https://security-tracker.debian.org/tracker/CVE-2016-1905
CWEs
CWE-284
Verify integrity in audit chain (admin only). AS-IS.