products / kube_apiserver
Kubernetes API Server
The Kubernetes API server exposes the control plane REST API. Attestd uses the exact keyword kube-apiserver with NVD keywordExactMatch so CVEs must mention the component by name.
api usage
Querying kube-apiserver
product slug
kube_apiserverversion format
1.27.0, 1.30.0bash
curl "https://api.attestd.io/v1/check?product=kube_apiserver&version=1.24.0" \
-H "Authorization: Bearer $ATTESTD_KEY"1.27.0 is in range for CVE-2023-5528 (Windows node privilege escalation via hostPath).
json
{
"product": "kube_apiserver",
"version": "1.24.0",
"supported": true,
"risk_state": "elevated",
"risk_factors": ["internet_exposed_service", "patch_available"],
"actively_exploited": false,
"remote_exploitable": true,
"authentication_required": true,
"patch_available": true,
"fixed_version": "1.24.8",
"confidence": 0.85,
"cve_ids": ["CVE-2022-3294"],
"last_updated": "2026-04-25T00:00:00Z"
}safe version
1.30.0 is used as a patched-line example; re-verify after NVD and synthesis updates.
bash
curl "https://api.attestd.io/v1/check?product=kube_apiserver&version=1.26.0" \
-H "Authorization: Bearer $ATTESTD_KEY"notable cves
CVE history
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2023-5528 | Windows node privilege escalation via hostPath mount handling. | 1.27.x | 8.8 |
CVE-2023-2727 | Image policy webhook bypass under certain configurations. | 1.27.x | 6.5 |
CVE-2021-25741 | Symlink exchange can escape container logs volume. | 1.19–1.22 | 8.1 |
CVE-2020-8558 | Node services reachable via localhost binding issue. | 1.18 and prior | 8.8 |
CVE-2019-11247 | RBAC escalation via API server aggregation layer. | 1.13–1.15 | 8.1 |
data sources
Shared CPE namespace
All Kubernetes components share the kubernetes:kubernetes CPE namespace in NVD. Attestd applies the CPE gate, then keyword matching scopes results to CVEs that mention kube-apiserver. CVEs affecting multiple components may also appear under kubelet.
related