Kubernetes 1.x < 1.11.8 / 1.12.x < 1.12.6 / 1.13.x < 1.13.4 API server DOS

The version of Kubernetes installed on the remote host is version 1.x prior to 1.11.8, 1.12.x prior to 1.12.6 or 1.13.x prior to 1.13.4. It is, therefore, affected by a denial of service vulnerability in the API server. An authenticated, remote attacker can exploit this via a specially crafted...

Security Bulletin: API Connect V2018 is impacted by vulnerability in the Kubernetes API server (CVE-2019-1002100)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-1002100 DESCRIPTION: The Kubernetes API server is vulnerable to a denial of service. By sending a specially crafted patch of type "json-patch" requests, a remote authenticated attacker could...

CVE-2019-1002100

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" e.g. kubectl patch --type json or "Content-Type: application/json-patch+json" that consumes...

CVE-2019-1002100

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" e.g. kubectl patch --type json or "Content-Type: application/json-patch+json" that consumes...

CVE-2019-1002100

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" e.g. kubectl patch --type json or "Content-Type: application/json-patch+json" that consumes...

Code injection

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" e.g. kubectl patch --type json or "Content-Type: application/json-patch+json" that consumes...

UBUNTU-CVE-2019-1002100

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" e.g. kubectl patch --type json or "Content-Type: application/json-patch+json" that consumes...

CVE-2019-1002100

CVE-2019-1002100 affects Kubernetes: in Kubernetes API server prior to versions v1.11.8, v1.12.6, and v1.13.4, authorized users can send a crafted patch of type json-patch (e.g., kubectl patch --type json or Content-Type: application/json-patch+json) that consumes excessive resources, causing a D...

CVE-2019-1002100

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" e.g. kubectl patch --type json or "Content-Type: application/json-patch+json" that consumes...

JVN#01119243: API server used by JR East Japan train operation information push notification App for Android fails to restrict access permissions

JR East Japan train operation information push notification App for Android provided by East Japan Railway Company fails to restrict access permissions CWE-284. The application is no longer available/supported, and its service was ended in 2019 march 23. Impact A remote attacker may obtain or alt...

CVE-2019-1002100: Kubernetes API Server Patch Request Consumes Excess Resource Cause Denial of Service | Cloud Foundry

Severity Medium Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions Cloud Foundry Container Runtime CFCR All versions prior to 0.31.0 Description In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the...

Input validation

A vulnerability in the filesystem permissions of Cisco NX-OS Software could allow an authenticated, local attacker to access sensitive data that could be used to elevate their privileges to administrator. The vulnerability is due to improper implementation of filesystem permissions. An attacker...

Denial Of Service (DoS)

github.com/kubernetes/kubernetes is vulnerable to denial of service. A user who is authorized to make patch requests to the Kubernetes API Server can send malicious patches of type json-patch to cause the server to consume excessive amounts of resources during processing, resulting in a denial of...

PT-2019-4310 · Kubernetes +1 · Kubernetes Api Server +1

Name of the Vulnerable Software and Affected Versions: Kubernetes API server versions v1.0 through v1.12 Kubernetes API server versions prior to v1.13.12 Kubernetes API server versions prior to v1.14.8 Kubernetes API server versions prior to v1.15.5 Kubernetes API server versions prior to v1.16.2...

Unauthorized Access To Resources

github.com/kubernetes/kubernetes is vulnerable to privilege escalation attacks. When certain requests are made to API server, it does not control users' access to resources such as RAM and disk space by properly checking their permissions...

Kubernetes API Server acts as proxy for internal and external IPs | Cloud Foundry

Severity Unspecified Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions Cloud Foundry Container Runtime CFCR All versions prior to v0.26.0 Description Kubernetes API, versions 1.11.x prior to 1.11.6, 1.12.x prior to 1.12.4, contains an improper proxy. A remote...

Kubernetes - (Unauthenticated) Arbitrary Requests Exploit

!/usr/bin/env python3 import argparse from ssl import wrapsocket from json import loads, dumps from socket import createconnection def requeststage1base, version, target: stage1 = "" with open'ustage1', 'r' as stage1fd: stage1 = stage1fd.read return stage1.formatbase, version, target .encode'utf-...

Kubernetes - (Authenticated) Arbitrary Requests

!/usr/bin/env python3 import argparse from ssl import wrapsocket from socket import createconnection from secrets import base64, tokenbytes def requeststage1namespace, pod, method, target, token: stage1 = "" with open'stage1', 'r' as stage1fd: stage1 = stage1fd.read return stage1.formatnamespace,...

Kubernetes - (Unauthenticated) Arbitrary Requests

Kubernetes - Unauthenticated Arbitrary Requests !/usr/bin/env python3 import argparse from ssl import wrapsocket from json import loads, dumps from socket import createconnection def requeststage1base, version, target: stage1 = "" with open'ustage1', 'r' as stage1fd: stage1 = stage1fd.read return...

Security Bulletin: IBM Cloud Private is affected by a privilege escalation vulnerability in Kubernetes API server

Summary IBM Cloud Private is affected by a security vulnerability in Kubernetes which in some cases can allow unauthorized access to the Kubernetes API Server and/or trusted user privilege escalation. Vulnerability Details CVEID: CVE-2018-1002105 DESCRIPTION: Kubernetes could allow a remote...