ClusterVulnerabilityReport
An instance of the ClusterVulnerabilityReport represents the latest vulnerabilities found in kubernetes cluster control-plane and node components. It consists of a list of control-plane and node components vulnerabilities with a summary of vulnerabilities grouped by severity. ClusterVulnerabilityReports are based on CVEs from the K8s vulnerability advisory.
The following listing shows a sample ClusterVulnerabilityReport associated with the kind cluster v1.21.1
apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterVulnerabilityReport
metadata:
annotations:
trivy-operator.aquasecurity.github.io/report-ttl: 24h0m0s
creationTimestamp: "2023-11-30T08:29:43Z"
generation: 1
labels:
resource-spec-hash: 6b5887445b
trivy-operator.container.name: k8s-cluster
trivy-operator.resource.kind: ClusterSbomReport
trivy-operator.resource.name: 584b5cdcd5
trivy-operator.resource.namespace: ""
name: clustersbomreport-584b5cdcd5-k8s-cluster
ownerReferences:
- apiVersion: aquasecurity.github.io/v1alpha1
blockOwnerDeletion: false
controller: true
kind: ClusterSbomReport
name: 584b5cdcd5
uid: 6b8a7458-696e-48fd-9aee-fd6747d25c42
resourceVersion: "2487"
uid: d7124d11-e744-4e10-97e3-dd03f84fd0b4
report:
artifact:
repository: kubernetes
tag: 1.21.1
os:
eosl: true
family: ubuntu
name: "21.04"
registry:
server: k8s.io
scanner:
name: Trivy
vendor: Aqua Security
version: 0.52.2
summary:
criticalCount: 0
highCount: 4
lowCount: 2
mediumCount: 9
noneCount: 0
unknownCount: 0
updateTimestamp: "2023-11-30T08:29:42Z"
vulnerabilities:
- fixedVersion: 1.5.9
installedVersion: 1.5.2
lastModifiedDate: "2023-11-07T03:39:00Z"
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2021-43816
publishedDate: "2022-01-05T19:15:00Z"
resource: github.com/containerd/containerd
score: 9.1
severity: HIGH
target: ""
title: Unprivileged pod may bind mount any privileged regular file on disk
vulnerabilityID: CVE-2021-43816
- fixedVersion: 1.4.13, 1.5.10, 1.6.1
installedVersion: 1.5.2
lastModifiedDate: "2023-11-07T03:44:00Z"
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2022-23648
publishedDate: "2022-03-03T14:15:00Z"
resource: github.com/containerd/containerd
score: 7.5
severity: HIGH
target: ""
title: 'containerd: insecure handling of image volumes'
vulnerabilityID: CVE-2022-23648
- fixedVersion: 1.4.8, 1.5.4
installedVersion: 1.5.2
lastModifiedDate: "2023-11-07T03:35:00Z"
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2021-32760
publishedDate: "2021-07-19T21:15:00Z"
resource: github.com/containerd/containerd
score: 6.3
severity: MEDIUM
target: ""
title: pulling and extracting crafted container image may result in Unix file
permission changes
vulnerabilityID: CVE-2021-32760
- fixedVersion: 1.4.11, 1.5.7
installedVersion: 1.5.2
lastModifiedDate: "2023-11-07T03:38:00Z"
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2021-41103
publishedDate: "2021-10-04T17:15:00Z"
resource: github.com/containerd/containerd
score: 7.8
severity: MEDIUM
target: ""
title: insufficiently restricted permissions on container root and plugin directories
vulnerabilityID: CVE-2021-41103
- fixedVersion: 1.5.16, 1.6.12
installedVersion: 1.5.2
lastModifiedDate: "2023-11-07T03:44:00Z"
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2022-23471
publishedDate: "2022-12-07T23:15:00Z"
resource: github.com/containerd/containerd
score: 6.5
severity: MEDIUM
target: ""
title: containerd is an open source container runtime. A bug was found in con
...
vulnerabilityID: CVE-2022-23471
- fixedVersion: 1.5.13, 1.6.6
installedVersion: 1.5.2
lastModifiedDate: "2023-11-07T03:47:00Z"
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2022-31030
publishedDate: "2022-06-09T14:15:00Z"
resource: github.com/containerd/containerd
score: 5.5
severity: MEDIUM
target: ""
title: containerd is an open source container runtime. A bug was found in the
...
vulnerabilityID: CVE-2022-31030
- fixedVersion: 1.5.18, 1.6.18
installedVersion: 1.5.2
lastModifiedDate: "2023-11-07T04:08:00Z"
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2023-25153
publishedDate: "2023-02-16T15:15:00Z"
resource: github.com/containerd/containerd
score: 5.5
severity: MEDIUM
target: ""
title: 'containerd: OCI image importer memory exhaustion'
vulnerabilityID: CVE-2023-25153
- fixedVersion: 1.5.18, 1.6.18
installedVersion: 1.5.2
lastModifiedDate: "2023-09-15T21:15:00Z"
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2023-25173
publishedDate: "2023-02-16T15:15:00Z"
resource: github.com/containerd/containerd
score: 7.8
severity: MEDIUM
target: ""
title: 'containerd: Supplementary groups are not set up properly'
vulnerabilityID: CVE-2023-25173
- fixedVersion: 1.4.12, 1.5.8
installedVersion: 1.5.2
lastModifiedDate: ""
links: []
primaryLink: https://github.com/advisories/GHSA-5j5w-g665-5m35
publishedDate: ""
resource: github.com/containerd/containerd
score: 3
severity: LOW
target: ""
title: Ambiguous OCI manifest parsing
vulnerabilityID: GHSA-5j5w-g665-5m35
- fixedVersion: 1.22.16, 1.23.14, 1.24.8, 1.25.4
installedVersion: 1.21.1
lastModifiedDate: "2023-05-11T15:15:00Z"
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2022-3162
publishedDate: "2023-03-01T19:15:00Z"
resource: k8s.io/apiserver
score: 6.5
severity: MEDIUM
target: ""
title: Unauthorized read of Custom Resources
vulnerabilityID: CVE-2022-3162
- fixedVersion: 1.24.15, 1.25.11, 1.26.6, 1.27.3
installedVersion: 1.21.1
lastModifiedDate: "2023-08-03T15:15:00Z"
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2023-2727
publishedDate: "2023-07-03T21:15:00Z"
resource: k8s.io/apiserver
score: 6.5
severity: MEDIUM
target: ""
title: Bypassing policies imposed by the ImagePolicyWebhook admission plugin
vulnerabilityID: CVE-2023-2727
- fixedVersion: 1.24.15, 1.25.11, 1.26.6, 1.27.3
installedVersion: 1.21.1
lastModifiedDate: "2023-08-03T15:15:00Z"
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2023-2728
publishedDate: "2023-07-03T21:15:00Z"
resource: k8s.io/apiserver
score: 6.5
severity: MEDIUM
target: ""
title: Bypassing enforce mountable secrets policy imposed by the ServiceAccount
admission plugin
vulnerabilityID: CVE-2023-2728
- fixedVersion: 1.19.16, 1.20.11, 1.21.5, 1.22.1
installedVersion: 1.21.1
lastModifiedDate: "2021-11-30T22:42:00Z"
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2021-25741
publishedDate: "2021-09-20T17:15:00Z"
resource: k8s.io/kubelet
score: 8.1
severity: HIGH
target: ""
title: Symlink exchange can allow host filesystem access
vulnerabilityID: CVE-2021-25741
- fixedVersion: 1.22.14, 1.23.11, 1.24.5
installedVersion: 1.21.1
lastModifiedDate: "2023-06-01T13:14:00Z"
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2021-25749
publishedDate: "2023-05-24T17:15:00Z"
resource: k8s.io/kubelet
score: 7.8
severity: HIGH
target: ""
title: runAsNonRoot logic bypass for Windows containers
vulnerabilityID: CVE-2021-25749
- fixedVersion: 1.24.14, 1.25.10, 1.26.5, 1.27.2
installedVersion: 1.21.1
lastModifiedDate: "2023-07-01T06:15:00Z"
links: []
primaryLink: https://avd.aquasec.com/nvd/cve-2023-2431
publishedDate: "2023-06-16T08:15:00Z"
resource: k8s.io/kubelet
score: 5.5
severity: LOW
target: ""
title: 'kubernetes: Bypass of seccomp profile enforcement'
vulnerabilityID: CVE-2023-2431