Lucene search

K
cveKubernetesCVE-2019-11253
HistoryOct 17, 2019 - 4:15 p.m.

CVE-2019-11253

2019-10-1716:15:10
CWE-776
CWE-20
kubernetes
web.nvd.nist.gov
192
4
cve-2019-11253
kubernetes
api server
input validation
security
vulnerability
json
yaml
rbac
nvd

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

High

EPSS

0.026

Percentile

90.5%

Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility.

Affected configurations

Nvd
Node
kuberneteskubernetesRange1.1.0โ€“1.12.10
OR
kuberneteskubernetesRange1.13.0โ€“1.13.2
OR
kuberneteskubernetesRange1.14.0โ€“1.14.8
OR
kuberneteskubernetesRange1.15.0โ€“1.15.5
OR
kuberneteskubernetesRange1.16.0โ€“1.16.2
Node
redhatopenshift_container_platformMatch3.9
OR
redhatopenshift_container_platformMatch3.10
OR
redhatopenshift_container_platformMatch3.11
VendorProductVersionCPE
kuberneteskubernetes*cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
redhatopenshift_container_platform3.9cpe:2.3:a:redhat:openshift_container_platform:3.9:*:*:*:*:*:*:*
redhatopenshift_container_platform3.10cpe:2.3:a:redhat:openshift_container_platform:3.10:*:*:*:*:*:*:*
redhatopenshift_container_platform3.11cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "Kubernetes",
    "vendor": "Kubernetes",
    "versions": [
      {
        "status": "affected",
        "version": "prior to 1.13.12"
      },
      {
        "status": "affected",
        "version": "prior to 1.14.8"
      },
      {
        "status": "affected",
        "version": "prior to 1.15.5"
      },
      {
        "status": "affected",
        "version": "prior to 1.16.2"
      },
      {
        "status": "affected",
        "version": "1.1"
      },
      {
        "status": "affected",
        "version": "1.2"
      },
      {
        "status": "affected",
        "version": "1.3"
      },
      {
        "status": "affected",
        "version": "1.4"
      },
      {
        "status": "affected",
        "version": "1.5"
      },
      {
        "status": "affected",
        "version": "1.6"
      },
      {
        "status": "affected",
        "version": "1.7"
      },
      {
        "status": "affected",
        "version": "1.8"
      },
      {
        "status": "affected",
        "version": "1.9"
      },
      {
        "status": "affected",
        "version": "1.10"
      },
      {
        "status": "affected",
        "version": "1.11"
      },
      {
        "status": "affected",
        "version": "1.12"
      }
    ]
  }
]

Social References

More

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

High

EPSS

0.026

Percentile

90.5%