Vulnerabilities (CVE)

Filtered by vendor Netapp Subscribe
Filtered by product Trident
Total 11 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-34558 4 Fedoraproject, Golang, Netapp and 1 more 6 Fedora, Go, Cloud Insights Telegraf and 3 more 2024-11-21 2.6 LOW 6.5 MEDIUM
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
CVE-2021-25742 2 Kubernetes, Netapp 2 Ingress-nginx, Trident 2024-11-21 5.5 MEDIUM 7.6 HIGH
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster.
CVE-2020-29511 2 Golang, Netapp 2 Go, Trident 2024-11-21 6.8 MEDIUM 9.8 CRITICAL
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
CVE-2020-29510 2 Golang, Netapp 2 Go, Trident 2024-11-21 6.8 MEDIUM 9.8 CRITICAL
The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
CVE-2020-29509 2 Golang, Netapp 2 Go, Trident 2024-11-21 6.8 MEDIUM 9.8 CRITICAL
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
CVE-2020-28366 3 Fedoraproject, Golang, Netapp 4 Fedora, Go, Cloud Insights Telegraf Agent and 1 more 2024-11-21 5.1 MEDIUM 7.5 HIGH
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
CVE-2020-28362 3 Fedoraproject, Golang, Netapp 4 Fedora, Go, Cloud Insights Telegraf Agent and 1 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
CVE-2019-9514 13 Apache, Apple, Canonical and 10 more 30 Traffic Server, Mac Os X, Swiftnio and 27 more 2024-11-21 7.8 HIGH 7.5 HIGH
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
CVE-2019-11244 3 Kubernetes, Netapp, Redhat 3 Kubernetes, Trident, Openshift Container Platform 2024-11-21 1.9 LOW 5.0 MEDIUM
In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.
CVE-2019-11243 2 Kubernetes, Netapp 2 Kubernetes, Trident 2024-11-21 4.3 MEDIUM 8.1 HIGH
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()
CVE-2018-1002105 3 Kubernetes, Netapp, Redhat 3 Kubernetes, Trident, Openshift Container Platform 2024-11-21 7.5 HIGH 9.8 CRITICAL
In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.