CVE-2019-11255 MEDIUM

CVE-2019-11255: Kubernetes CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation

Vendor Kubernetes
Product kubernetes-csi external-provisioner
Weakness CWE-20 · Input validation
Published December 5, 2019
Last update September 16, 2024

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

Improper input validation in Kubernetes CSI sidecar containers for external-provisioner (<v0.4.3, <v1.0.2, v1.1, <v1.2.2, <v1.3.1), external-snapshotter (<v0.4.2, <v1.0.2, v1.1, <1.2.2), and external-resizer (v0.1, v0.2) could result in unauthorized PersistentVolume data access or volume mutation during snapshot, restore from snapshot, cloning and resizing operations.

Key dates

02Disclosure timeline

December 5, 2019 CVE published
September 16, 2024 Record updated