Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2019-11253

Good to know:

icon

Date: October 17, 2019

Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility.

Language: Go

Severity Score

Related Resources (15)

https://github.com/kubernetes/kubernetes/issues/83253
https://security.netapp.com/advisory/ntap-20191031-0006
https://access.redhat.com/errata/RHSA-2019:3811
https://access.redhat.com/errata/RHSA-2019:3239
https://security.netapp.com/advisory/ntap-20191031-0006/
https://groups.google.com/forum/#%21topic/kubernetes-security-announce/jk8polzSUxs
https://gist.github.com/bgeesaman/0e0349e94cd22c48bf14d8a9b7d6b8f2
https://github.com/advisories/GHSA-pmqp-h87c-mr78
https://access.redhat.com/errata/RHSA-2019:3905
https://groups.google.com/forum/#!topic/kubernetes-security-announce/jk8polzSUxs
https://nvd.nist.gov/vuln/detail/CVE-2019-11253
https://github.com/kubernetes/kubernetes/pull/83261
https://www.mend.io/vulnerability-database/CVE-2019-11253
https://www.mend.io/resources/blog/top-security-open-source-vulnerabilities
https://www.mend.io/resources/blog/top-5-new-open-source-security-vulnerabilities-in-october-2019

Severity Score

Weakness Type (CWE)

Input Validation

CWE-20

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CWE-776

Top Fix

icon

Upgrade Version

Upgrade to version v1.13.12;v1.14.8;v1.15.5;v1.16.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us