container-security
Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.
385 articles
Kubernetes validating admission webhook bypass (CVE-2021-25735)
CVE-2021-25735 let attackers bypass Kubernetes validating admission webhooks on Node objects via a kube-apiserver flaw. Here's the fix and detection path.
Hardening Oracle Kubernetes Engine (OKE) clusters
A practical, command-by-command guide to OKE security best practices: locking down the API endpoint, network security lists, pod security policies, IAM, and image signing.
containerd CRI plugin mount escape (CVE-2022-23648)
CVE-2022-23648 let crafted pod volume specs bypass containerd's CRI mount isolation to reach arbitrary host files — versions, severity, and fixes.
Linux AF_PACKET privilege escalation (CVE-2020-14386)
CVE-2020-14386 lets a local attacker with CAP_NET_RAW corrupt Linux kernel heap memory via AF_PACKET and escalate privileges. Here's the fix and impact.
Detecting container threats in OCI with Cloud Guard
How OCI Cloud Guard detects container threats in OKE — detector recipes, responder rules, real blind spots, and where Safeguard adds runtime and supply-chain coverage.
Comparing container registry security features across maj...
A practical, no-fluff comparison of ECR vs ACR vs GAR vs OCIR on scanning depth, signing, IAM, and compliance — plus where Harbor fits and how Safeguard unifies them.
How Log4Shell exposed cloud container images and how to d...
Log4Shell (CVE-2021-44228) still hides in container images years later. Here's how it works, its CVSS/EPSS/KEV context, and how to detect and remediate it across ECR, ACR, and GAR.
Docker symlink race condition escape (CVE-2018-15664)
A TOCTOU race in Docker's docker cp symlink resolution let malicious containers write to host files as root. Impact, CVSS, and fixes inside.
Docker Engine crafted image denial of service (CVE-2021-21285)
CVE-2021-21285 lets a crafted container image crash Docker Engine before 20.10.3. Affected versions, severity, timeline, and remediation steps.
Docker Engine remap-root UID mapping vulnerability (CVE-2021-21284)
CVE-2021-21284 let remapped-root containers escalate to real host root, defeating Docker's userns-remap isolation. Here's the full breakdown and fix.
Time-of-check to time-of-use (TOCTOU) race condition vulnerabilities
TOCTOU race conditions let attackers swap a resource between a security check and its use. Real CVEs, exploit mechanics, and prevention patterns explained.
Kubernetes RBAC misconfiguration explained
RBAC misconfigurations like wildcard rules and default service account bindings have powered real cluster takeovers, from CVE-2018-1002105 to Siloscape.