目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1000 CNY

100.0%
コーヒーを一杯おごる

漏洞赏金情报

数据来源:HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告,按严重程度、漏洞类型或目标项目筛选,关联 CVE 编号。

已披露报告
12,219
关联 CVE
1,854
参与项目数
342
近 7 天新增
14
严重度: All CriticalHighMediumLow
类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
项目筛选:kubernetes
The `io.kubernetes.client.util.generic.dynamic.Dynamics` contains a code execution vulnerability due to SnakeYAML
Kubernetes Code Injection (CWE-94)CVE-2022-1471
Medium
2023-04-25
File Read Vulnerability allows Attackers to Compromise S3 buckets using Prow
Kubernetes Improper Access Control - Generic (CWE-284)
Medium
2023-04-25
SSRF vulnerability can be exploited when a hijacked aggregated api server such as metrics-server returns 30X
Kubernetes Server-Side Request Forgery (SSRF) (CWE-918)CVE-2022-3172
Medium
2022-12-10
AWS Load Balancer Controller Managed Security Groups can be replaced by an unprivileged attacker
Kubernetes Resource Injection (CWE-99)
Medium
2022-06-02
AWS Load Balancer Controller can be used by an attacker to modify rules of any Security Group that they are able to tag
Kubernetes Resource Injection (CWE-99)
Medium
2022-06-02
Attacker can bypass authentication build on ingress external auth (`nginx.ingress.kubernetes.io/auth-url`)
Kubernetes Improper Authentication - Generic (CWE-287)
Medium
2022-04-23
Google storage bucket takeover which is used to load JS file in dashboard.html in "github.com/kubernetes/release" which can lead to XSS
Kubernetes Improper Access Control - Generic (CWE-284)
Medium
2021-12-16
Broken Github Link Used in deployment docs of "github.com/kubernetes/kompose"
Kubernetes Improper Access Control - Generic (CWE-284)
Medium
2021-12-16
IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements
Kubernetes Man-in-the-Middle (CWE-300)CVE-2019-9946CVE-2019-3462
Medium
2021-11-07
Broken link hijacing in https://kubernetes-csi.github.io/docs/drivers.html
Kubernetes Violation of Secure Design Principles (CWE-657)
Medium
2021-11-06
Tokenless GUI Authentication
Kubernetes Improper Authentication - Generic (CWE-287)
Medium
2021-11-04
Man in the middle using LoadBalancer or ExternalIPs services
Kubernetes Man-in-the-Middle (CWE-300)CVE-2020-8554
Medium
2021-11-04
Man in the middle leading to root privilege escalation using hostNetwork=true (CAP_NET_RAW considered harmful)
Kubernetes Man-in-the-Middle (CWE-300)
Medium
2021-10-08
SSRF for kube-apiserver cloudprovider scene
Kubernetes Server-Side Request Forgery (SSRF) (CWE-918)CVE-2020-8561
Medium
2021-10-07
Node Validation Admission does not observe all oldObject fields
Kubernetes Improper Access Control - Generic (CWE-284)
Medium
2021-09-05
Loading YAML in Java client can lead to command execution
Kubernetes Deserialization of Untrusted Data (CWE-502)CVE-2021-25738
Medium
2021-08-07
Bypass apiserver proxy filter
Kubernetes Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)CVE-2020-8562
Medium
2021-05-27
SHA512 incorrect on most/many releases
Kubernetes Cryptographic Issues - Generic (CWE-310)
Medium
2021-05-09
API Server DoS (crash?) if many large resources (~1MB each) are concurrently/repeatedly sent to an external Validating WebHook endpoint
Kubernetes Uncontrolled Resource Consumption (CWE-400)
Medium
2021-04-01
Kubelet follows symlinks as root in /var/log from the /logs server endpoint
Kubernetes Privilege Escalation (CAPEC-233)
Medium
2021-04-01
高频漏洞类型
最活跃项目
项目报告数最高赏金
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895