TF 0061 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Container capabilities must only include NET_BIND_SERVICE
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
Description
The container is configured with excessive Linux capabilities, rather than dropping all by default and only allowing NET_BIND_SERVICE. This increases the container's privileges beyond what is necessary for binding to low ports.
Impact
If exploited, attackers could leverage unnecessary capabilities to escalate privileges or compromise the host, increasing the risk of container breakout or unauthorized access to system resources.
Resolution
Set 'spec.containers[].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[].securityContext.capabilities.add'.