Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE feed: add RSS feed format #39513

Merged
merged 1 commit into from
Mar 14, 2023
+43 −10
Merged

CVE feed: add RSS feed format #39513

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 18 additions & 10 deletions content/en/docs/reference/issues-security/official-cve-feed.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
---
title: Official CVE Feed
linkTitle: CVE feed
weight: 25
outputs:
- json
- html
- html
- rss
layout: cve-feed
---

Expand All @@ -14,19 +16,25 @@ the Kubernetes Security Response Committee. See
[Kubernetes Security and Disclosure Information](/docs/reference/issues-security/security/)
for more details.

The Kubernetes project publishes a programmatically accessible
[JSON Feed](/docs/reference/issues-security/official-cve-feed/index.json) of
published security issues. You can access it by executing the following command:

{{< comment >}}
`replace` is used to bypass known issue with rendering ">"
: https://github.com/gohugoio/hugo/issues/7229 in JSON layouts template
`layouts/_default/cve-feed.json`
{{< /comment >}}
The Kubernetes project publishes a programmatically accessible feed of published
security issues in [JSON feed](/docs/reference/issues-security/official-cve-feed/index.json)
and [RSS feed](/docs/reference/issues-security/official-cve-feed/feed.xml)
formats. You can access it by executing the following commands:

{{< tabs name="CVE feeds" >}}
{{% tab name="JSON feed" %}}
[Link to JSON format](/docs/reference/issues-security/official-cve-feed/index.json)
```shell
curl -Lv https://k8s.io/docs/reference/issues-security/official-cve-feed/index.json
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason to remove verbose flag?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was mostly wondering why using it? And I thought it was maybe a bit unrelevant, but is there a reason? :)

Copy link
Member

@PushkarJ PushkarJ Mar 1, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mainly for "content-type" in curl response header and to verify that redirects (301) happens safely

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See example for xml file:

curl -lv https://localhost:1313/docs/reference/issues-security/official-cve-feed/feed.xml

< Content-Type: application/xml; charset=utf-8

Same thing applies for json file too.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I put back the verbose flag if you think it's better this way!

```
{{% /tab %}}
{{% tab name="RSS feed" %}}
[Link to RSS format](/docs/reference/issues-security/official-cve-feed/feed.xml)
```shell
curl -Lv https://k8s.io/docs/reference/issues-security/official-cve-feed/feed.xml
```
{{% /tab %}}
{{< /tabs >}}

{{< cve-feed >}}

Expand Down
25 changes: 25 additions & 0 deletions layouts/_default/cve-feed.rss.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
{{ $feed := getJSON .Site.Params.cveFeedBucket -}}
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>{{ $feed.title }}</title>
<link>{{ .Site.BaseURL }}docs/reference/issues-security/official-cve-feed/</link>
<description>{{ $feed.description }}</description>
<generator>Hugo -- gohugo.io</generator>
<language>en-US</language>
<copyright>{{ .Site.Params.Copyright_k8s }}</copyright>
<lastBuildDate>{{ time.Format "Mon, 02 Jan 2006 15:04:05 -0700" $feed._kubernetes_io.updated_at | safeHTML }}</lastBuildDate>
{{ with .OutputFormats.Get "RSS" -}}
{{ printf "<atom:link href=%q rel=\"self\" type=%q />" .Permalink .MediaType | safeHTML }}
{{ end -}}
{{ range $feed.items -}}
<item>
<title>{{ .id }}</title>
<link>{{ .url }}</link>
<pubDate>{{ time.Format "Mon, 02 Jan 2006 15:04:05 -0700" .date_published | safeHTML }}</pubDate>
<guid>{{ .external_url }}</guid>
<description>{{ htmlEscape .summary }}</description>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<description>{{ htmlEscape .summary }}</description>
<description>{{ htmlEscape .summary | safeHTML }}</description>

This will allow the ' and other valid HTML characters to show as is. Untested but you can verify if it works by the title / description of the topmost CVE that uses the word isn't

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested this after coming home. This seems to fix it.

Before:

<description>Node address isn&#39;t always verified when proxying</description>

After:

<description>Node address isn't always verified when proxying</description>

Ref: https://gohugo.io/functions/safehtml/

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yes but we absolutely need to escape characters like & and so, the feed is not a valid RSS feed without escaping those. Let me test indeed, I was thinking safeHTML was the inverse to htmlEscape but maybe not!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the RSS validator fails after the change then happy to approve it as is.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, this is the result and it's not valid because of this:

This feed does not validate.

[line 233](https://validator.w3.org/feed/check.cgi#l233), column 55: XML parsing error: <unknown>:233:55: not well-formed (invalid token) [[help](https://validator.w3.org/feed/docs/error/SAXError.html)]

<description>`kubectl:-http-cache=<world-accessible dir>` creates world-writ ...

We are lucky that we have a title containing > char to trigger the error.

<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>Auto-refreshing Official CVE Feed</title>
<link>http://localhost:1313/docs/reference/issues-security/official-cve-feed/</link>
<description>Auto-refreshing official CVE feed for Kubernetes repository</description>
<generator>Hugo -- gohugo.io</generator>
<language>en-US</language>
<copyright>The Kubernetes Authors</copyright>
<lastBuildDate>Fri, 10 Mar 2023 13:07:53 +0000</lastBuildDate>
<atom:link href="http://localhost:1313/docs/reference/issues-security/official-cve-feed/feed.xml" rel="self" type="application/rss+xml"/>
<item>
<title>CVE-2022-3294</title>
<link>https://github.com/kubernetes/kubernetes/issues/113757</link>
<pubDate>Tue, 08 Nov 2022 21:33:26 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2022-3294</guid>
<description>Node address isn't always verified when proxying</description>
</item>
<item>
<title>CVE-2022-3162</title>
<link>https://github.com/kubernetes/kubernetes/issues/113756</link>
<pubDate>Tue, 08 Nov 2022 21:33:07 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2022-3162</guid>
<description>Unauthorized read of Custom Resources</description>
</item>
<item>
<title>CVE-2022-3172</title>
<link>https://github.com/kubernetes/kubernetes/issues/112513</link>
<pubDate>Fri, 16 Sep 2022 13:14:50 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2022-3172</guid>
<description>Aggregated API server can cause clients to be redirected (SSRF)</description>
</item>
<item>
<title>CVE-2021-25749</title>
<link>https://github.com/kubernetes/kubernetes/issues/112192</link>
<pubDate>Thu, 01 Sep 2022 21:02:01 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2021-25749</guid>
<description>`runAsNonRoot` logic bypass for Windows containers</description>
</item>
<item>
<title>CVE-2021-25741</title>
<link>https://github.com/kubernetes/kubernetes/issues/104980</link>
<pubDate>Mon, 13 Sep 2021 20:58:56 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2021-25741</guid>
<description>Symlink Exchange Can Allow Host Filesystem Access</description>
</item>
<item>
<title>CVE-2021-25737</title>
<link>https://github.com/kubernetes/kubernetes/issues/102106</link>
<pubDate>Tue, 18 May 2021 19:14:27 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2021-25737</guid>
<description>Holes in EndpointSlice Validation Enable Host Network Hijack</description>
</item>
<item>
<title>CVE-2021-3121</title>
<link>https://github.com/kubernetes/kubernetes/issues/101435</link>
<pubDate>Fri, 23 Apr 2021 18:07:32 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2021-3121</guid>
<description>Processes may panic upon receipt of malicious protobuf messages</description>
</item>
<item>
<title>CVE-2021-25735</title>
<link>https://github.com/kubernetes/kubernetes/issues/100096</link>
<pubDate>Wed, 10 Mar 2021 18:18:01 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2021-25735</guid>
<description>Validating Admission Webhook does not observe some previous fields</description>
</item>
<item>
<title>CVE-2020-8554</title>
<link>https://github.com/kubernetes/kubernetes/issues/97076</link>
<pubDate>Fri, 04 Dec 2020 20:02:15 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8554</guid>
<description>Man in the middle using LoadBalancer or ExternalIPs</description>
</item>
<item>
<title>CVE-2020-8566</title>
<link>https://github.com/kubernetes/kubernetes/issues/95624</link>
<pubDate>Thu, 15 Oct 2020 22:07:53 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8566</guid>
<description>Ceph RBD adminSecrets exposed in logs when loglevel >= 4</description>
</item>
<item>
<title>CVE-2020-8565</title>
<link>https://github.com/kubernetes/kubernetes/issues/95623</link>
<pubDate>Thu, 15 Oct 2020 22:05:32 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8565</guid>
<description>Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9</description>
</item>
<item>
<title>CVE-2020-8564</title>
<link>https://github.com/kubernetes/kubernetes/issues/95622</link>
<pubDate>Thu, 15 Oct 2020 22:03:19 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8564</guid>
<description>Docker config secrets leaked when file is malformed and log level >= 4</description>
</item>
<item>
<title>CVE-2020-8563</title>
<link>https://github.com/kubernetes/kubernetes/issues/95621</link>
<pubDate>Thu, 15 Oct 2020 22:00:44 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8563</guid>
<description>Secret leaks in kube-controller-manager when using vSphere provider</description>
</item>
<item>
<title>CVE-2020-8557</title>
<link>https://github.com/kubernetes/kubernetes/issues/93032</link>
<pubDate>Mon, 13 Jul 2020 18:39:08 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8557</guid>
<description>Node disk DOS by writing to container /etc/hosts</description>
</item>
<item>
<title>CVE-2020-8559</title>
<link>https://github.com/kubernetes/kubernetes/issues/92914</link>
<pubDate>Wed, 08 Jul 2020 17:03:16 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8559</guid>
<description>Privilege escalation from compromised node to cluster</description>
</item>
<item>
<title>CVE-2020-8558</title>
<link>https://github.com/kubernetes/kubernetes/issues/92315</link>
<pubDate>Fri, 19 Jun 2020 18:38:58 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8558</guid>
<description>Node setting allows for neighboring hosts to bypass localhost boundary</description>
</item>
<item>
<title>CVE-2020-8555</title>
<link>https://github.com/kubernetes/kubernetes/issues/91542</link>
<pubDate>Thu, 28 May 2020 16:13:34 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8555</guid>
<description>Half-Blind SSRF in kube-controller-manager</description>
</item>
<item>
<title>CVE-2020-10749</title>
<link>https://github.com/kubernetes/kubernetes/issues/91507</link>
<pubDate>Wed, 27 May 2020 19:32:29 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-10749</guid>
<description>IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements</description>
</item>
<item>
<title>CVE-2019-11254</title>
<link>https://github.com/kubernetes/kubernetes/issues/89535</link>
<pubDate>Thu, 26 Mar 2020 18:55:26 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11254</guid>
<description>kube-apiserver Denial of Service vulnerability from malicious YAML payloads</description>
</item>
<item>
<title>CVE-2020-8552</title>
<link>https://github.com/kubernetes/kubernetes/issues/89378</link>
<pubDate>Mon, 23 Mar 2020 18:35:34 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8552</guid>
<description>apiserver DoS (oom)</description>
</item>
<item>
<title>CVE-2020-8551</title>
<link>https://github.com/kubernetes/kubernetes/issues/89377</link>
<pubDate>Mon, 23 Mar 2020 18:34:40 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2020-8551</guid>
<description>Kubelet DoS via API</description>
</item>
<item>
<title>CVE-2019-11251</title>
<link>https://github.com/kubernetes/kubernetes/issues/87773</link>
<pubDate>Mon, 03 Feb 2020 15:12:22 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11251</guid>
<description>kubectl cp symlink vulnerability</description>
</item>
<item>
<title>CVE-2018-1002102</title>
<link>https://github.com/kubernetes/kubernetes/issues/85867</link>
<pubDate>Tue, 03 Dec 2019 22:58:37 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2018-1002102</guid>
<description>Unvalidated redirect</description>
</item>
<item>
<title>CVE-2019-11255</title>
<link>https://github.com/kubernetes/kubernetes/issues/85233</link>
<pubDate>Wed, 13 Nov 2019 20:57:31 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11255</guid>
<description>CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation</description>
</item>
<item>
<title>CVE-2019-11253</title>
<link>https://github.com/kubernetes/kubernetes/issues/83253</link>
<pubDate>Fri, 27 Sep 2019 16:53:31 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11253</guid>
<description>Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack</description>
</item>
<item>
<title>CVE-2019-11250</title>
<link>https://github.com/kubernetes/kubernetes/issues/81114</link>
<pubDate>Thu, 08 Aug 2019 02:03:04 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11250</guid>
<description>Bearer tokens are revealed in logs</description>
</item>
<item>
<title>CVE-2019-11248</title>
<link>https://github.com/kubernetes/kubernetes/issues/81023</link>
<pubDate>Tue, 06 Aug 2019 14:34:33 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11248</guid>
<description>/debug/pprof exposed on kubelet's healthz port</description>
</item>
<item>
<title>CVE-2019-11249</title>
<link>https://github.com/kubernetes/kubernetes/issues/80984</link>
<pubDate>Mon, 05 Aug 2019 12:44:23 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11249</guid>
<description>Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal</description>
</item>
<item>
<title>CVE-2019-11247</title>
<link>https://github.com/kubernetes/kubernetes/issues/80983</link>
<pubDate>Mon, 05 Aug 2019 12:44:08 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11247</guid>
<description>API server allows access to custom resources via wrong scope</description>
</item>
<item>
<title>CVE-2019-11245</title>
<link>https://github.com/kubernetes/kubernetes/issues/78308</link>
<pubDate>Fri, 24 May 2019 16:14:49 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11245</guid>
<description>container uid changes to root after first restart or if image is already pulled to the node</description>
</item>
<item>
<title>CVE-2019-11243</title>
<link>https://github.com/kubernetes/kubernetes/issues/76797</link>
<pubDate>Thu, 18 Apr 2019 21:31:53 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11243</guid>
<description>rest.AnonymousClientConfig() does not remove the serviceaccount credentials from config created by rest.InClusterConfig()</description>
</item>
<item>
<title>CVE-2019-11244</title>
<link>https://github.com/kubernetes/kubernetes/issues/76676</link>
<pubDate>Tue, 16 Apr 2019 20:14:25 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-11244</guid>
<description>`kubectl:-http-cache=<world-accessible dir>` creates world-writeable cached schema files</description>
</item>
<item>
<title>CVE-2019-1002100</title>
<link>https://github.com/kubernetes/kubernetes/issues/74534</link>
<pubDate>Mon, 25 Feb 2019 19:39:09 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2019-1002100</guid>
<description>json-patch requests can exhaust apiserver resources</description>
</item>
<item>
<title>CVE-2018-1002105</title>
<link>https://github.com/kubernetes/kubernetes/issues/71411</link>
<pubDate>Mon, 26 Nov 2018 11:07:36 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2018-1002105</guid>
<description>proxy request handling in kube-apiserver can leave vulnerable TCP connections</description>
</item>
<item>
<title>CVE-2018-1002101</title>
<link>https://github.com/kubernetes/kubernetes/issues/65750</link>
<pubDate>Tue, 03 Jul 2018 08:06:15 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2018-1002101</guid>
<description>smb mount security issue</description>
</item>
<item>
<title>CVE-2018-1002100</title>
<link>https://github.com/kubernetes/kubernetes/issues/61297</link>
<pubDate>Fri, 16 Mar 2018 19:24:46 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2018-1002100</guid>
<description>Kubectl copy doesn't check for paths outside of it's destination directory.</description>
</item>
<item>
<title>CVE-2017-1002102</title>
<link>https://github.com/kubernetes/kubernetes/issues/60814</link>
<pubDate>Mon, 05 Mar 2018 20:55:20 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2017-1002102</guid>
<description>atomic writer volume handling allows arbitrary file deletion in host filesystem</description>
</item>
<item>
<title>CVE-2017-1002101</title>
<link>https://github.com/kubernetes/kubernetes/issues/60813</link>
<pubDate>Mon, 05 Mar 2018 20:53:58 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2017-1002101</guid>
<description>subpath volume mount handling allows arbitrary file access in host filesystem</description>
</item>
<item>
<title>CVE-2017-1002100</title>
<link>https://github.com/kubernetes/kubernetes/issues/47611</link>
<pubDate>Thu, 15 Jun 2017 18:59:13 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2017-1002100</guid>
<description>Azure PV should be Private scope not Container scope</description>
</item>
<item>
<title>CVE-2017-1000056</title>
<link>https://github.com/kubernetes/kubernetes/issues/43459</link>
<pubDate>Tue, 21 Mar 2017 15:22:29 +0000</pubDate>
<guid>https://www.cve.org/cverecord?id=CVE-2017-1000056</guid>
<description>PodSecurityPolicy admission plugin authorizes incorrectly</description>
</item>
</channel>
</rss>

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for checking this!

</item>
{{ end -}}
</channel>
</rss>