CVE-2019-11243 LOW

CVE-2019-11243

Vendor Kubernetes
Product Kubernetes
Weakness CWE-271
Published April 22, 2019
Last update August 4, 2024

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()

Key dates

02Disclosure timeline

April 22, 2019 CVE published
August 4, 2024 Record updated