OffSequence7h ago
โš ๏ธ HIGH severity: chainguard-dev apko (<1.2.7) doesn't verify downloaded .apk checksums vs signed index. Attackers can inject rogue packages into OCI images if download sources are compromised. Patch: upgrade to 1.2.7. CVE-2026-42575 https://radar.offseq.com/threat/cve-2026-42575-cwe-345-insufficient-verification-o-918c9a44 #OffSeq #ContainerSecurity
CVEDatabase.com17h ago
Security Tip: Don't trust every container image in your registry. ๐Ÿ›ก๏ธ While scanning for known CVEs is vital, image signing ensures provenance. It proves that the image in production is the one your CI/CD pipeline actually built. Without it, you're vulnerable to registry-level tampering. Track vulnerabilities and stay ahead of threats: https://cvedatabase.com #InfoSec #ContainerSecurity #AppSec #CyberSecurity #CVE
CVEDatabase.com - Search & Analyze CVE Vulnerabilities

Search and analyze CVE vulnerabilities with instant access to CVSS scores, affected products, and AI-powered remediation guidance.

CVEDatabase.com
CVEDatabase.com23h ago
Security Tip: Harden your containers by using a read-only root filesystem. ๐Ÿ›ก๏ธ If an attacker exploits a CVE, they often try to download scripts or modify configs. A read-only filesystem blocks these actions at the runtime level. Combine this with non-root users for a robust defense-in-depth strategy. Research container-related vulnerabilities at https://cvedatabase.com #ContainerSecurity #CyberSecurity #InfoSec #CVE
CVEDatabase.com - Search & Analyze CVE Vulnerabilities

Search and analyze CVE vulnerabilities with instant access to CVSS scores, affected products, and AI-powered remediation guidance.

CVEDatabase.com
CVEDatabase.com1d ago
Security Tip: Containers aren't magic sandboxes. ๐Ÿ›ก๏ธ To harden your infrastructure, follow the principle of least privilege: 1. Never run containers as root. 2. Use minimal base images (e.g., Alpine or Distroless) to reduce the attack surface. 3. Scan images for known vulnerabilities. Stay informed on the latest container-related CVEs at https://cvedatabase.com #InfoSec #CyberSecurity #ContainerSecurity #DevSecOps
CVEDatabase.com - Search & Analyze CVE Vulnerabilities

Search and analyze CVE vulnerabilities with instant access to CVSS scores, affected products, and AI-powered remediation guidance.

CVEDatabase.com
CVEDatabase.com1d ago
Security Tip: Your container's base image matters. ๐Ÿ›ก๏ธ Using full OS images (like Ubuntu or Debian) often includes shells, package managers, and utilities your app doesn't needโ€”all of which increase your attack surface. Switch to minimal images like Alpine or Google's "Distroless." Fewer binaries mean fewer CVEs to track and a smaller footprint for attackers. Stay updated on the latest vulnerabilities at https://cvedatabase.com #ContainerSecurity #InfoSec #CVE #DevSecOps
CVEDatabase.com - Search & Analyze CVE Vulnerabilities

Search and analyze CVE vulnerabilities with instant access to CVSS scores, affected products, and AI-powered remediation guidance.

CVEDatabase.com
sayzard3d ago

K8s-Container_escape_audit Version 3

K8s-container_escape_audit Version 3๋Š” ๋„์ปค ๋ฐ ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค ์ปจํ…Œ์ด๋„ˆ ๋‚ด์—์„œ ํƒˆ์ถœ ์ทจ์•ฝ์ ์„ ์ ๊ฒ€ํ•˜๋Š” ๋ฐฐ์‹œ ์Šคํฌ๋ฆฝํŠธ ๋„๊ตฌ์ด๋‹ค. ์ด ๋„๊ตฌ๋Š” ๊ถŒํ•œ ์ƒ์Šน, ๋„ค์ž„์ŠคํŽ˜์ด์Šค ๊ณต์œ , ํŒŒ์ผ ์‹œ์Šคํ…œ ๋งˆ์šดํŠธ, ์ปค๋„ ๋…ธ์ถœ, ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค ์„ค์ • ์˜ค๋ฅ˜, ํด๋ผ์šฐ๋“œ ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ ์ ‘๊ทผ, ์ตœ๊ทผ CVE ๋“ฑ 35๊ฐ€์ง€ ์ฃผ์š” ์ ๊ฒ€ ํ•ญ๋ชฉ์„ ํฌํ•จํ•˜๋ฉฐ, ๊ฐ ํ•ญ๋ชฉ์— ๋Œ€ํ•ด ์œ„ํ—˜๋„์™€ ๊ถŒ๊ณ ์‚ฌํ•ญ์„ ์ œ๊ณตํ•œ๋‹ค. ๋ณด์•ˆ ํ‰๊ฐ€ ๋ฐ ์นจํˆฌ ํ…Œ์ŠคํŠธ๋ฅผ ์œ„ํ•œ ๋„๊ตฌ๋กœ, ์‹ค์ œ ์šด์˜ ํ™˜๊ฒฝ์—์„œ ํ—ˆ๊ฐ€ ์—†์ด ์‚ฌ์šฉํ•ด์„œ๋Š” ์•ˆ ๋œ๋‹ค. ๋˜ํ•œ ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค ์žก(Job)์œผ๋กœ๋„ ์‹คํ–‰ ๊ฐ€๋Šฅํ•˜๋ฉฐ, ์ƒ์„ธํ•œ ๋ณด๊ณ ์„œ์™€ JSON ์ถœ๋ ฅ ์˜ต์…˜์„ ์ง€์›ํ•œ๋‹ค.

https://github.com/liamromanis101/K8s-container_escape_audit

#kubernetes #containersecurity #penetrationtesting #containerescape #cve

GitHub - liamromanis101/K8s-container_escape_audit: Look for possible escape vectors from a container

Look for possible escape vectors from a container. Contribute to liamromanis101/K8s-container_escape_audit development by creating an account on GitHub.

GitHub
cirosec GmbH4d ago

Today a single malicious container image could be enough to take over a larger fleet of machines and grant an attacker control over confidentiality, integrity and availability of all the workloads running in a Kubernetes cluster and potentially beyond, since clusters often hold secrets and credentials for external services and infrastructure.

In our new article, we outline the seven seas of Kubernetes security โ€” a set of key security domains that organizations should address to secure Kubernetes effectivelyโ€ฆ

Find out more: https://cirosec.de/en/news/the-seven-seas-of-kubernetes-security/

#blog #kubernetes #cloudnative #devops #containersecurity #cybersecurity

Hacker News5d ago

CVE-2026-31431: Copy Fail vs. rootless containers

https://www.dragonsreach.it/2026/05/04/cve-2026-31431-copy-fail-rootless-containers/

#HackerNews #CVE202631431 #CopyFail #rootlessContainers #cybersecurity #containersecurity

CVE-2026-31431: Copy Fail vs. rootless containers

anchoreMay 2

@josh.bressers.name scanned 161 MCP containers. Found 9,000 vulnerabilities. 263 were critical.

"Software ages like milk, not wine." His analysis breaks down what's actually being deployed in the MCP ecosystemโ€”and what to do about it.

https://anchore.com/blog/analyzing-the-top-mcp-docker-containers/

#MCP #ContainerSecurity

anchoreMay 1

Traditional security models treat compliance as a static event. This fails in modern environments because containers are ephemeral. If a vulnerability is found, the container is replaced, not patched. Our blog explores shifting from reactive scanning to proactive policy enforcement.

https://anchore.com/blog/mapping-container-inspection-to-dow-rmf-controls/

#ContainerSecurity #DevSecOps #NIST