NET_RAW capability added
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Vulnerability Type | omission |
Description#
Granting the NET_RAW capability to containers allows them to craft raw network packets, which is generally unnecessary and increases the attack surface. This capability can enable unintended or malicious network activities from within the container.
Impact#
If exploited, attackers could use the NET_RAW capability to intercept network traffic or send spoofed packets, potentially leading to data leaks, network attacks, or lateral movement within the environment. This undermines network security controls and can compromise both application and infrastructure integrity.
Resolution#
To mitigate potential security risks, it is strongly recommended to remove the NET_RAW capability from ‘containers[].securityContext.capabilities.add’. It is advisable to follow the practice of dropping all capabilities and only adding the necessary ones.