CVE-2019-11247
Kubernetes kube-apiserver allows access to custom resources via wrong scope
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.
El kube-apiserver de Kubernetes permite por error el acceso a un recurso personalizado de ámbito de clúster si la solicitud se realiza como si el recurso estuviera con espacio de nombres. Las autorizaciones para el recurso al que se tiene acceso de esta manera se aplican mediante roles y enlaces de roles dentro del espacio de nombres, lo que significa que un usuario con acceso solo a un recurso en un espacio de nombres podría crear, ver actualizar o eliminar el recurso de ámbito de clúster (según sus privilegios de rol de espacio de nombres). Las versiones afectadas de Kubernetes incluyen versiones anteriores a 1.13.9, versiones anteriores a 1.14.5, versiones anteriores a 1.15.2 y versiones 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-04-17 CVE Reserved
- 2019-08-15 CVE Published
- 2024-07-29 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-284: Improper Access Control
- CWE-863: Incorrect Authorization
CAPEC
References (9)
URL | Tag | Source |
---|---|---|
https://github.com/kubernetes/kubernetes/issues/80983 | Third Party Advisory | |
https://groups.google.com/d/msg/kubernetes-security-announce/vUtEcSEY6SM/v2ZZxsmtFQAJ | Mailing List | |
https://security.netapp.com/advisory/ntap-20190919-0003 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHBA-2019:2816 | 2020-10-02 | |
https://access.redhat.com/errata/RHBA-2019:2824 | 2020-10-02 | |
https://access.redhat.com/errata/RHSA-2019:2690 | 2020-10-02 | |
https://access.redhat.com/errata/RHSA-2019:2769 | 2020-10-02 | |
https://access.redhat.com/security/cve/CVE-2019-11247 | 2019-10-24 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1732192 | 2019-10-24 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Kubernetes Search vendor "Kubernetes" | Kubernetes Search vendor "Kubernetes" for product "Kubernetes" | >= 1.7.0 <= 1.12.10 Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.7.0 <= 1.12.10" | - |
Affected
| ||||||
Kubernetes Search vendor "Kubernetes" | Kubernetes Search vendor "Kubernetes" for product "Kubernetes" | >= 1.13.0 < 1.13.9 Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.13.0 < 1.13.9" | - |
Affected
| ||||||
Kubernetes Search vendor "Kubernetes" | Kubernetes Search vendor "Kubernetes" for product "Kubernetes" | >= 1.14.0 < 1.14.5 Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.14.0 < 1.14.5" | - |
Affected
| ||||||
Kubernetes Search vendor "Kubernetes" | Kubernetes Search vendor "Kubernetes" for product "Kubernetes" | >= 1.15.0 < 1.15.2 Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.15.0 < 1.15.2" | - |
Affected
| ||||||
Kubernetes Search vendor "Kubernetes" | Kubernetes Search vendor "Kubernetes" for product "Kubernetes" | 1.12.11 Search vendor "Kubernetes" for product "Kubernetes" and version "1.12.11" | beta0 |
Affected
| ||||||
Redhat Search vendor "Redhat" | Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform" | 3.9 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.9" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform" | 3.10 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.10" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform" | 3.11 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11" | - |
Affected
|