CVE-2019-1002100
kube-apiserver: DoS with crafted patch of type json-patch
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server.
En todas las versiones de Kubernetes anteriores a las v1.11.8, v1.12.6 y v1.13.4, los usuarios autorizados para realizar peticiones de parche en el servidor API de Kubernetes pueden enviar parches "json-patch" (p.ej., `kubectl patch --type json` o `"Content-Type: application/json-patch+json"`) especialmente manipulados que consumen recursos excesivos durante el procesamiento, conduciendo a una denegaciĆ³n de servicio (DoS) en el servidor API
A denial of service vulnerability was found in the Kubernetes API server. A remote user, with authorization to apply patches, could exploit this via crafted JSON input, causing excessive consumption of resources and subsequent denial of service.
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include cross site scripting and denial of service vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-04-01 CVE Reserved
- 2019-04-01 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/107290 | Broken Link | |
| https://groups.google.com/forum/#%21topic/kubernetes-announce/vmUUNkYfG9g | X_refsource_confirm | |
| https://security.netapp.com/advisory/ntap-20190416-0002 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2019:1851 | 2023-11-07 | |
| https://access.redhat.com/errata/RHSA-2019:3239 | 2023-11-07 | |
| https://github.com/kubernetes/kubernetes/issues/74534 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2019-1002100 | 2019-10-29 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1683190 | 2019-10-29 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Kubernetes Search vendor "Kubernetes" | Kubernetes Search vendor "Kubernetes" for product "Kubernetes" | < 1.11.8 Search vendor "Kubernetes" for product "Kubernetes" and version " < 1.11.8" | - |
Affected
| ||||||
| Kubernetes Search vendor "Kubernetes" | Kubernetes Search vendor "Kubernetes" for product "Kubernetes" | >= 1.12.0 < 1.12.6 Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.12.0 < 1.12.6" | - |
Affected
| ||||||
| Kubernetes Search vendor "Kubernetes" | Kubernetes Search vendor "Kubernetes" for product "Kubernetes" | >= 1.13.0 < 1.13.4 Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.13.0 < 1.13.4" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform" | 3.10 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.10" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform" | 3.11 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11" | - |
Affected
| ||||||