- [Am I vulnerable?](#am-i-vulnerable)
      - [Affected Versions](#affected-versions)
    - [How do I mitigate this vulnerability?](#how-do-i-mitigate-this-vulnerability)
      - [Fixed Versions](#fixed-versions)
    - [Detection](#detection)
      - [Additional Details](#additional-details)
      - [Acknowledgements](#acknowledgements)

that could allow a user with the ability to query a node's '/logs' endpoint
to execute arbitrary commands on the host.

**Affected Versions**:
  - kubelet <= v1.29.12
  - kubelet <= v1.30.8
  - kubelet <= v1.31.4
  - kubelet = v1.32.0

**Fixed Versions**:
  - kubelet 1.29.13
  - kubelet 1.30.9
  - kubelet 1.31.5
  - kubelet 1.32.1

    * With WatchBookmark feature, clients are able to request watch events with BOOKMARK type. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session.

- Kubeadm: updated the supported etcd version to v3.5.23 for supported control plane versions v1.31, v1.32, and v1.33. ([#134692](https://github.com/kubernetes/kubernetes/pull/134692), [@joshjms](https://github.com/joshjms)) [SIG Cluster Lifecycle and Etcd]

where BUILTIN\Users may be able to read container logs and NT
AUTHORITY\Authenticated Users may be able to modify container logs.

**Affected Versions**:
  - kubelet <= 1.27.15
  - kubelet <= 1.28.11
  - kubelet <= 1.29.6
  - kubelet <= 1.30.2 

**Fixed Versions**:
  - kubelet 1.27.16
  - kubelet 1.28.12
  - kubelet 1.29.7
  - kubelet 1.30.3 

**Affected Versions**:
  - kube-apiserver v1.31.0 - v1.31.11
  - kube-apiserver v1.32.0 - v1.32.7
  - kube-apiserver v1.33.0 - v1.33.3

**Fixed Versions**:
  - kube-apiserver v1.31.12
  - kube-apiserver v1.32.8
  - kube-apiserver v1.33.4

This vulnerability was reported by Paul Viossat.

values in certain fields, and does not impact calls from kubelets that go
through the built-in NodeRestriction admission plugin.

**Affected Versions**:
  - kube-apiserver v1.20.0 - v1.20.5
  - kube-apiserver v1.19.0 - v1.19.9
  - kube-apiserver <= v1.18.17

**Fixed Versions**:
  - kube-apiserver v1.21.0
  - kube-apiserver v1.20.6
  - kube-apiserver v1.19.10
  - kube-apiserver v1.18.18

## External Dependencies

Continuous integration builds use Docker versions 1.11.2, 1.12.6, 1.13.1,
and 17.03.2. These versions were validated on Kubernetes 1.8. However,
consult an appropriate installation or upgrade guide before deciding what
versions of Docker to use.

- Docker 1.13.1 and 17.03.2

    - Shared PID namespace, live-restore, and overlay2 were validated.

## **External Dependency Version Information**

Continuous integration builds have used the following versions of external dependencies, however, this is not a strong recommendation and users should consult an appropriate installation or upgrade guide before deciding what versions of etcd, docker or rkt to use.

* Docker versions 1.10.3, 1.11.2, 1.12.6 have been validated

    * Docker version 1.12.6 known issues

* Cloud Controller Manager now sets Node.Spec.ProviderID ([#50730](https://github.com/kubernetes/kubernetes/pull/50730), [@andrewsykim](https://github.com/andrewsykim))
* Parameterize session affinity timeout seconds in service API for Client IP based session affinity. ([#49850](https://github.com/kubernetes/kubernetes/pull/49850), [@m1093782566](https://github.com/m1093782566))