search

aquasecurity / kube-hunter

Hunt for security weaknesses in Kubernetes clusters
Apache License 2.0
4.65k stars 578 forks source link

Severity mismatch for KHV002 vulnerability #532

Open jreisinger opened 1 year ago

jreisinger commented 1 year ago

What happened

I scanned a remote CLUSTER and got an output, where .vulnerabilities[0].severity (high) does not match severity at .vulnerabilities[0].avd_reference (low).

$ kube-hunter --remote CLUSTER --log warn --report json | jq
{
  <...SNIP...>
  "vulnerabilities": [
    {
      <...SNIP...>
      "vid": "KHV002",
      "severity": "high",
      "avd_reference": "https://avd.aquasec.com/kube-hunter/khv002/",
      <...SNIP...>
    }
  ]
}

Expected behavior

I would expect vulnerability severity in kube-hunter output to match the severity at https://avd.aquasec.com.

choww commented 11 months ago

Also noticed the same thing with some other KHVs:

https://avd.aquasec.com/kube-hunter/khv043 https://avd.aquasec.com/kube-hunter/khv052

The links above listed these as high severity But output in the CLI for both vulnerabilities are low(for KHV043) and medium (for KHV052)