CVE-2019-11247 MEDIUM

CVE-2019-11247: Kubernetes kube-apiserver allows access to custom resources via wrong scope

Vendor Kubernetes
Product Kubernetes
Weakness CWE-20 · Input validation
Published August 29, 2019
Last update September 16, 2024

CVSS base score

5.0/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.

Key dates

02Disclosure timeline

August 29, 2019 CVE published
September 16, 2024 Record updated