Safeguard
Tag

kubernetes-security

Safeguard articles tagged "kubernetes-security" — guides, analysis, and best practices for software supply chain and application security.

125 articles

Vulnerability Analysis

Linux cgroups release_agent container escape (CVE-2022-0492)

CVE-2022-0492 lets containers with CAP_SYS_ADMIN escape via cgroup v1's release_agent. Impact, timeline, and concrete remediation steps inside.

Jan 9, 20267 min read
Vulnerability Analysis

containerd-shim abstract Unix socket container escape (CVE-2020-15257)

CVE-2020-15257 let containers sharing a host network namespace abuse containerd-shim's abstract socket API. Here's the impact, fix, and remediation path.

Jan 9, 20267 min read
Vulnerability Analysis

Kubernetes validating admission webhook bypass (CVE-2021-25735)

CVE-2021-25735 let attackers bypass Kubernetes validating admission webhooks on Node objects via a kube-apiserver flaw. Here's the fix and detection path.

Jan 8, 20267 min read
Vulnerability Analysis

Kubernetes kubelet symlink volume mount escape (CVE-2021-25741)

CVE-2021-25741 lets attackers escape subPath volume mounts in Kubernetes kubelet via a symlink race, exposing host files and enabling privilege escalation.

Jan 8, 20267 min read
Vulnerability Analysis

containerd CRI plugin mount escape (CVE-2022-23648)

CVE-2022-23648 let crafted pod volume specs bypass containerd's CRI mount isolation to reach arbitrary host files — versions, severity, and fixes.

Jan 8, 20266 min read
Container Security

Detecting container threats in OCI with Cloud Guard

How OCI Cloud Guard detects container threats in OKE — detector recipes, responder rules, real blind spots, and where Safeguard adds runtime and supply-chain coverage.

Jan 7, 20267 min read
Vulnerability Analysis

Kubernetes Python client aggregated API vulnerability (CVE-2022-3172)

CVE-2022-3172 lets a rogue aggregated API backend redirect authenticated Kubernetes API traffic, exposing Python client apps to credential theft.

Dec 28, 20257 min read
Vulnerability Analysis

Kubernetes RBAC misconfiguration explained

RBAC misconfigurations like wildcard rules and default service account bindings have powered real cluster takeovers, from CVE-2018-1002105 to Siloscape.

Dec 4, 20256 min read
DevSecOps

Argo CD Path Traversal via Malicious Helm Chart values.ya...

CVE-2022-24348 let attackers use a malicious Helm chart to path-traverse Argo CD's repo-server, exposing secrets across GitOps applications. Here's the fix.

Nov 24, 20257 min read
Vulnerability Analysis

Helm Chart Repository Index Cache Confusion Vulnerability...

CVE-2021-32690 is a Helm chart repository index cache confusion flaw fixed in 3.6.1 that could push users toward an unintended chart. Here's what matters.

Nov 24, 20258 min read
Vulnerability Analysis

runc Container Breakout via /proc/self/exe Overwrite (CVE...

CVE-2019-5736 let a malicious container overwrite the host runc binary, escaping isolation to gain root on the Docker or Kubernetes host.

Nov 21, 20257 min read
Vulnerability Analysis

containerd-shim Abstract Unix Socket Exposure Enabling Co...

CVE-2020-15257 lets processes in host-networked containers reach the containerd-shim socket and escape to the host. Impact, affected versions, and fixes explained.

Nov 21, 20258 min read
kubernetes-security (Page 8) — Safeguard Blog