CVE-2019-11253

Summary

Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility.

Affected Software

VendorProductVersion RangeStatus
KubernetesKubernetesprior to 1.13.12affected
KubernetesKubernetesprior to 1.14.8affected
KubernetesKubernetesprior to 1.15.5affected
KubernetesKubernetesprior to 1.16.2affected
KubernetesKubernetes1.1affected
KubernetesKubernetes1.2affected
KubernetesKubernetes1.3affected
KubernetesKubernetes1.4affected
KubernetesKubernetes1.5affected
KubernetesKubernetes1.6affected
KubernetesKubernetes1.7affected
KubernetesKubernetes1.8affected
KubernetesKubernetes1.9affected
KubernetesKubernetes1.10affected
KubernetesKubernetes1.11affected
KubernetesKubernetes1.12affected

Weaknesses

  • CWE-20: CWE-20: Improper Input Validation

Workarounds

Exposure to requests from unauthenticated users can be mitigated by removing all write permissions from unauthenticated users, following instructions at https://github.com/kubernetes/kubernetes/issues/83253

ADP Enrichment

CVE Program Container

Additional References

References