Skip to content

ClusterVulnerabilityReport

An instance of the ClusterVulnerabilityReport represents the latest vulnerabilities found in kubernetes cluster control-plane and node components. It consists of a list of control-plane and node components vulnerabilities with a summary of vulnerabilities grouped by severity. ClusterVulnerabilityReports are based on CVEs from the K8s vulnerability advisory.

The following listing shows a sample ClusterVulnerabilityReport associated with the kind cluster v1.21.1

apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterVulnerabilityReport
metadata:
  annotations:
    trivy-operator.aquasecurity.github.io/report-ttl: 24h0m0s
  creationTimestamp: "2023-11-30T08:29:43Z"
  generation: 1
  labels:
    resource-spec-hash: 6b5887445b
    trivy-operator.container.name: k8s-cluster
    trivy-operator.resource.kind: ClusterSbomReport
    trivy-operator.resource.name: 584b5cdcd5
    trivy-operator.resource.namespace: ""
  name: clustersbomreport-584b5cdcd5-k8s-cluster
  ownerReferences:
  - apiVersion: aquasecurity.github.io/v1alpha1
    blockOwnerDeletion: false
    controller: true
    kind: ClusterSbomReport
    name: 584b5cdcd5
    uid: 6b8a7458-696e-48fd-9aee-fd6747d25c42
  resourceVersion: "2487"
  uid: d7124d11-e744-4e10-97e3-dd03f84fd0b4
report:
  artifact:
    repository: kubernetes
    tag: 1.21.1
  os:
    eosl: true
    family: ubuntu
    name: "21.04"
  registry:
    server: k8s.io
  scanner:
    name: Trivy
    vendor: Aqua Security
    version: 0.57.1
  summary:
    criticalCount: 0
    highCount: 4
    lowCount: 2
    mediumCount: 9
    noneCount: 0
    unknownCount: 0
  updateTimestamp: "2023-11-30T08:29:42Z"
  vulnerabilities:
  - fixedVersion: 1.5.9
    installedVersion: 1.5.2
    lastModifiedDate: "2023-11-07T03:39:00Z"
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2021-43816
    publishedDate: "2022-01-05T19:15:00Z"
    resource: github.com/containerd/containerd
    score: 9.1
    severity: HIGH
    target: ""
    title: Unprivileged pod may bind mount any privileged regular file on disk
    vulnerabilityID: CVE-2021-43816
  - fixedVersion: 1.4.13, 1.5.10, 1.6.1
    installedVersion: 1.5.2
    lastModifiedDate: "2023-11-07T03:44:00Z"
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-23648
    publishedDate: "2022-03-03T14:15:00Z"
    resource: github.com/containerd/containerd
    score: 7.5
    severity: HIGH
    target: ""
    title: 'containerd: insecure handling of image volumes'
    vulnerabilityID: CVE-2022-23648
  - fixedVersion: 1.4.8, 1.5.4
    installedVersion: 1.5.2
    lastModifiedDate: "2023-11-07T03:35:00Z"
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2021-32760
    publishedDate: "2021-07-19T21:15:00Z"
    resource: github.com/containerd/containerd
    score: 6.3
    severity: MEDIUM
    target: ""
    title: pulling and extracting crafted container image may result in Unix file
      permission changes
    vulnerabilityID: CVE-2021-32760
  - fixedVersion: 1.4.11, 1.5.7
    installedVersion: 1.5.2
    lastModifiedDate: "2023-11-07T03:38:00Z"
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2021-41103
    publishedDate: "2021-10-04T17:15:00Z"
    resource: github.com/containerd/containerd
    score: 7.8
    severity: MEDIUM
    target: ""
    title: insufficiently restricted permissions on container root and plugin directories
    vulnerabilityID: CVE-2021-41103
  - fixedVersion: 1.5.16, 1.6.12
    installedVersion: 1.5.2
    lastModifiedDate: "2023-11-07T03:44:00Z"
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-23471
    publishedDate: "2022-12-07T23:15:00Z"
    resource: github.com/containerd/containerd
    score: 6.5
    severity: MEDIUM
    target: ""
    title: containerd is an open source container runtime. A bug was found in con
      ...
    vulnerabilityID: CVE-2022-23471
  - fixedVersion: 1.5.13, 1.6.6
    installedVersion: 1.5.2
    lastModifiedDate: "2023-11-07T03:47:00Z"
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-31030
    publishedDate: "2022-06-09T14:15:00Z"
    resource: github.com/containerd/containerd
    score: 5.5
    severity: MEDIUM
    target: ""
    title: containerd is an open source container runtime. A bug was found in the
      ...
    vulnerabilityID: CVE-2022-31030
  - fixedVersion: 1.5.18, 1.6.18
    installedVersion: 1.5.2
    lastModifiedDate: "2023-11-07T04:08:00Z"
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2023-25153
    publishedDate: "2023-02-16T15:15:00Z"
    resource: github.com/containerd/containerd
    score: 5.5
    severity: MEDIUM
    target: ""
    title: 'containerd: OCI image importer memory exhaustion'
    vulnerabilityID: CVE-2023-25153
  - fixedVersion: 1.5.18, 1.6.18
    installedVersion: 1.5.2
    lastModifiedDate: "2023-09-15T21:15:00Z"
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2023-25173
    publishedDate: "2023-02-16T15:15:00Z"
    resource: github.com/containerd/containerd
    score: 7.8
    severity: MEDIUM
    target: ""
    title: 'containerd: Supplementary groups are not set up properly'
    vulnerabilityID: CVE-2023-25173
  - fixedVersion: 1.4.12, 1.5.8
    installedVersion: 1.5.2
    lastModifiedDate: ""
    links: []
    primaryLink: https://github.com/advisories/GHSA-5j5w-g665-5m35
    publishedDate: ""
    resource: github.com/containerd/containerd
    score: 3
    severity: LOW
    target: ""
    title: Ambiguous OCI manifest parsing
    vulnerabilityID: GHSA-5j5w-g665-5m35
  - fixedVersion: 1.22.16, 1.23.14, 1.24.8, 1.25.4
    installedVersion: 1.21.1
    lastModifiedDate: "2023-05-11T15:15:00Z"
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-3162
    publishedDate: "2023-03-01T19:15:00Z"
    resource: k8s.io/apiserver
    score: 6.5
    severity: MEDIUM
    target: ""
    title: Unauthorized read of Custom Resources
    vulnerabilityID: CVE-2022-3162
  - fixedVersion: 1.24.15, 1.25.11, 1.26.6, 1.27.3
    installedVersion: 1.21.1
    lastModifiedDate: "2023-08-03T15:15:00Z"
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2023-2727
    publishedDate: "2023-07-03T21:15:00Z"
    resource: k8s.io/apiserver
    score: 6.5
    severity: MEDIUM
    target: ""
    title: Bypassing policies imposed by the ImagePolicyWebhook  admission plugin
    vulnerabilityID: CVE-2023-2727
  - fixedVersion: 1.24.15, 1.25.11, 1.26.6, 1.27.3
    installedVersion: 1.21.1
    lastModifiedDate: "2023-08-03T15:15:00Z"
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2023-2728
    publishedDate: "2023-07-03T21:15:00Z"
    resource: k8s.io/apiserver
    score: 6.5
    severity: MEDIUM
    target: ""
    title: Bypassing enforce mountable secrets policy imposed by the  ServiceAccount
      admission plugin
    vulnerabilityID: CVE-2023-2728
  - fixedVersion: 1.19.16, 1.20.11, 1.21.5, 1.22.1
    installedVersion: 1.21.1
    lastModifiedDate: "2021-11-30T22:42:00Z"
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2021-25741
    publishedDate: "2021-09-20T17:15:00Z"
    resource: k8s.io/kubelet
    score: 8.1
    severity: HIGH
    target: ""
    title: Symlink exchange can allow host filesystem access
    vulnerabilityID: CVE-2021-25741
  - fixedVersion: 1.22.14, 1.23.11, 1.24.5
    installedVersion: 1.21.1
    lastModifiedDate: "2023-06-01T13:14:00Z"
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2021-25749
    publishedDate: "2023-05-24T17:15:00Z"
    resource: k8s.io/kubelet
    score: 7.8
    severity: HIGH
    target: ""
    title: runAsNonRoot logic bypass for Windows containers
    vulnerabilityID: CVE-2021-25749
  - fixedVersion: 1.24.14, 1.25.10, 1.26.5, 1.27.2
    installedVersion: 1.21.1
    lastModifiedDate: "2023-07-01T06:15:00Z"
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2023-2431
    publishedDate: "2023-06-16T08:15:00Z"
    resource: k8s.io/kubelet
    score: 5.5
    severity: LOW
    target: ""
    title: 'kubernetes: Bypass of seccomp profile enforcement'
    vulnerabilityID: CVE-2023-2431