Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8567PUBLISHED: 2021-01-21Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
CVE-2020-8569PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when:
- The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass.
- The snapshot-controller crashes, ...
CVE-2020-8570PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
CVE-2020-8554PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...
User Rank: Apprentice
3/19/2014 | 1:04:31 AM
@ubm_techweb_disqus_sso_-0480d4a7522709036363932f5b73339c:disqus - I've been at cybersecurity in many different sectors for a long time (20+ yrs). In the recent past I used to see non-techies go into threat intelligence, policy, and strategy; the latter two _generally_ only if you have an advanced degree from a prestigious university. In the commercial sector, threat intel weenies produced interesting but generally not actionable reporting, so we started to use techies and trained them in intel so they can produce actionable threat reporting & indicators (it's hard to connect the dots if you don't understand the rules of the environment). Fwiw, neither my colleagues I speak with nor I have had generally positive experiences with candidates who have cybersecurity degrees, advanced or otherwise. Personally, I generally hire based on references. If I do take a chance, I generally look for at least a minor in EE/Computer Engineering/ComSci from a top 50 program and some experience (~2-3 yrs) as network/systems engineer or low-level software engineer. The best people I've taken a chance on have had a minor in one of those fields and a major in the arts/humanities. I admit, my criteria is generally narrow and I may miss qualified candidates. However, I can't spend the time required to find the diamond in the rough ... and neither can my recruiters.