// For flags

CVE-2019-11247

Kubernetes kube-apiserver allows access to custom resources via wrong scope

Severity Score

8.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.

El kube-apiserver de Kubernetes permite por error el acceso a un recurso personalizado de ámbito de clúster si la solicitud se realiza como si el recurso estuviera con espacio de nombres. Las autorizaciones para el recurso al que se tiene acceso de esta manera se aplican mediante roles y enlaces de roles dentro del espacio de nombres, lo que significa que un usuario con acceso solo a un recurso en un espacio de nombres podría crear, ver actualizar o eliminar el recurso de ámbito de clúster (según sus privilegios de rol de espacio de nombres). Las versiones afectadas de Kubernetes incluyen versiones anteriores a 1.13.9, versiones anteriores a 1.14.5, versiones anteriores a 1.15.2 y versiones 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.

*Credits: Prabu Shyam, Verizon Media
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-04-17 CVE Reserved
  • 2019-08-15 CVE Published
  • 2024-07-29 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
  • CWE-284: Improper Access Control
  • CWE-863: Incorrect Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Kubernetes
Search vendor "Kubernetes"
Kubernetes
Search vendor "Kubernetes" for product "Kubernetes"
>= 1.7.0 <= 1.12.10
Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.7.0 <= 1.12.10"
-
Affected
Kubernetes
Search vendor "Kubernetes"
Kubernetes
Search vendor "Kubernetes" for product "Kubernetes"
>= 1.13.0 < 1.13.9
Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.13.0 < 1.13.9"
-
Affected
Kubernetes
Search vendor "Kubernetes"
Kubernetes
Search vendor "Kubernetes" for product "Kubernetes"
>= 1.14.0 < 1.14.5
Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.14.0 < 1.14.5"
-
Affected
Kubernetes
Search vendor "Kubernetes"
Kubernetes
Search vendor "Kubernetes" for product "Kubernetes"
>= 1.15.0 < 1.15.2
Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.15.0 < 1.15.2"
-
Affected
Kubernetes
Search vendor "Kubernetes"
Kubernetes
Search vendor "Kubernetes" for product "Kubernetes"
1.12.11
Search vendor "Kubernetes" for product "Kubernetes" and version "1.12.11"
beta0
Affected
Redhat
Search vendor "Redhat"
Openshift Container Platform
Search vendor "Redhat" for product "Openshift Container Platform"
3.9
Search vendor "Redhat" for product "Openshift Container Platform" and version "3.9"
-
Affected
Redhat
Search vendor "Redhat"
Openshift Container Platform
Search vendor "Redhat" for product "Openshift Container Platform"
3.10
Search vendor "Redhat" for product "Openshift Container Platform" and version "3.10"
-
Affected
Redhat
Search vendor "Redhat"
Openshift Container Platform
Search vendor "Redhat" for product "Openshift Container Platform"
3.11
Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11"
-
Affected