CVE-2019-11248 MEDIUM

CVE-2019-11248: Kubernetes kubelet exposes /debug/pprof info on healthz port

Vendor Kubernetes
Product Kubernetes
Weakness CWE-419
Published August 29, 2019
Last update September 17, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

What the vulnerability does

01Description

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.

Key dates

02Disclosure timeline

August 29, 2019 CVE published
September 17, 2024 Record updated