CVE-2019-11247
Vulnerability from cvelistv5
Published
2019-08-29 00:25
Modified
2024-09-16 18:04
Summary
The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:48:09.018Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/kubernetes/kubernetes/issues/80983"
          },
          {
            "name": "v1.13.9, v1.14.5, v1.15.2 released to address CVE-2019-11247, CVE-2019-11249",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/d/msg/kubernetes-security-announce/vUtEcSEY6SM/v2ZZxsmtFQAJ"
          },
          {
            "name": "RHSA-2019:2690",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2690"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190919-0003/"
          },
          {
            "name": "RHBA-2019:2816",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHBA-2019:2816"
          },
          {
            "name": "RHBA-2019:2824",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHBA-2019:2824"
          },
          {
            "name": "RHSA-2019:2769",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2769"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Kubernetes",
          "vendor": "Kubernetes",
          "versions": [
            {
              "status": "affected",
              "version": "prior to 1.13.9"
            },
            {
              "status": "affected",
              "version": "prior to 1.14.5"
            },
            {
              "status": "affected",
              "version": "prior to 1.15.2"
            },
            {
              "status": "affected",
              "version": "1.7"
            },
            {
              "status": "affected",
              "version": "1.8"
            },
            {
              "status": "affected",
              "version": "1.9"
            },
            {
              "status": "affected",
              "version": "1.10"
            },
            {
              "status": "affected",
              "version": "1.11"
            },
            {
              "status": "affected",
              "version": "1.12"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Prabu Shyam, Verizon Media"
        }
      ],
      "datePublic": "2019-08-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-10-24T22:06:25",
        "orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
        "shortName": "kubernetes"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kubernetes/kubernetes/issues/80983"
        },
        {
          "name": "v1.13.9, v1.14.5, v1.15.2 released to address CVE-2019-11247, CVE-2019-11249",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/d/msg/kubernetes-security-announce/vUtEcSEY6SM/v2ZZxsmtFQAJ"
        },
        {
          "name": "RHSA-2019:2690",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2690"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190919-0003/"
        },
        {
          "name": "RHBA-2019:2816",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHBA-2019:2816"
        },
        {
          "name": "RHBA-2019:2824",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHBA-2019:2824"
        },
        {
          "name": "RHSA-2019:2769",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2769"
        }
      ],
      "source": {
        "defect": [
          "https://github.com/kubernetes/kubernetes/issues/80983"
        ],
        "discovery": "USER"
      },
      "title": "Kubernetes kube-apiserver allows access to custom resources via wrong scope",
      "workarounds": [
        {
          "lang": "en",
          "value": "To mitigate, remove authorization rules that grant access to cluster-scoped resources within namespaces. For example, RBAC roles and clusterroles intended to be referenced by namespaced rolebindings should not grant access to resources:[*], apiGroups:[*], or grant access to cluster-scoped custom resources."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.7"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "",
          "ASSIGNER": "security@kubernetes.io",
          "DATE_PUBLIC": "2019-08-05",
          "ID": "CVE-2019-11247",
          "STATE": "PUBLIC",
          "TITLE": "Kubernetes kube-apiserver allows access to custom resources via wrong scope"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Kubernetes",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to 1.13.9"
                          },
                          {
                            "version_value": "prior to 1.14.5"
                          },
                          {
                            "version_value": "prior to 1.15.2"
                          },
                          {
                            "version_value": "1.7"
                          },
                          {
                            "version_value": "1.8"
                          },
                          {
                            "version_value": "1.9"
                          },
                          {
                            "version_value": "1.10"
                          },
                          {
                            "version_value": "1.11"
                          },
                          {
                            "version_value": "1.12"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Kubernetes"
              }
            ]
          }
        },
        "configuration": [],
        "credit": [
          {
            "lang": "eng",
            "value": "Prabu Shyam, Verizon Media"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12."
            }
          ]
        },
        "exploit": [],
        "generator": {
          "engine": "Vulnogram 0.0.7"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20: Improper Input Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/kubernetes/kubernetes/issues/80983",
              "refsource": "CONFIRM",
              "url": "https://github.com/kubernetes/kubernetes/issues/80983"
            },
            {
              "name": "v1.13.9, v1.14.5, v1.15.2 released to address CVE-2019-11247, CVE-2019-11249",
              "refsource": "MLIST",
              "url": "https://groups.google.com/d/msg/kubernetes-security-announce/vUtEcSEY6SM/v2ZZxsmtFQAJ"
            },
            {
              "name": "RHSA-2019:2690",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2690"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190919-0003/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190919-0003/"
            },
            {
              "name": "RHBA-2019:2816",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHBA-2019:2816"
            },
            {
              "name": "RHBA-2019:2824",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHBA-2019:2824"
            },
            {
              "name": "RHSA-2019:2769",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2769"
            }
          ]
        },
        "solution": [],
        "source": {
          "advisory": "",
          "defect": [
            "https://github.com/kubernetes/kubernetes/issues/80983"
          ],
          "discovery": "USER"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "To mitigate, remove authorization rules that grant access to cluster-scoped resources within namespaces. For example, RBAC roles and clusterroles intended to be referenced by namespaced rolebindings should not grant access to resources:[*], apiGroups:[*], or grant access to cluster-scoped custom resources."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
    "assignerShortName": "kubernetes",
    "cveId": "CVE-2019-11247",
    "datePublished": "2019-08-29T00:25:27.667656Z",
    "dateReserved": "2019-04-17T00:00:00",
    "dateUpdated": "2024-09-16T18:04:25.053Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-11247\",\"sourceIdentifier\":\"jordan@liggitt.net\",\"published\":\"2019-08-29T01:15:11.287\",\"lastModified\":\"2024-11-21T04:20:47.980\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.\"},{\"lang\":\"es\",\"value\":\"El kube-apiserver de Kubernetes permite por error el acceso a un recurso personalizado de \u00e1mbito de cl\u00faster si la solicitud se realiza como si el recurso estuviera con espacio de nombres. Las autorizaciones para el recurso al que se tiene acceso de esta manera se aplican mediante roles y enlaces de roles dentro del espacio de nombres, lo que significa que un usuario con acceso solo a un recurso en un espacio de nombres podr\u00eda crear, ver actualizar o eliminar el recurso de \u00e1mbito de cl\u00faster (seg\u00fan sus privilegios de rol de espacio de nombres). Las versiones afectadas de Kubernetes incluyen versiones anteriores a 1.13.9, versiones anteriores a 1.14.5, versiones anteriores a 1.15.2 y versiones 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}],\"cvssMetricV30\":[{\"source\":\"jordan@liggitt.net\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.6,\"impactScore\":3.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"jordan@liggitt.net\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.7.0\",\"versionEndIncluding\":\"1.12.10\",\"matchCriteriaId\":\"A582FE75-D84B-4C8F-B836-95FB15F68EBA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.13.0\",\"versionEndExcluding\":\"1.13.9\",\"matchCriteriaId\":\"14126DA1-4F03-43D3-BD14-0BE06EC8F4E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.14.0\",\"versionEndExcluding\":\"1.14.5\",\"matchCriteriaId\":\"E10D117F-F0C4-4355-98E3-BB4A401258DE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.15.0\",\"versionEndExcluding\":\"1.15.2\",\"matchCriteriaId\":\"2BECD4DB-0E6B-4C4A-B714-F6E4724BD0F6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubernetes:kubernetes:1.12.11:beta0:*:*:*:*:*:*\",\"matchCriteriaId\":\"3EAFE32A-5295-4A4B-9EC1-A1DB3CAE3DC8\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:3.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"309CB6F8-F178-454C-BE97-787F78647C28\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:3.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DBCD38F-BBE8-488C-A8C3-5782F191D915\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F87326E-0B56-4356-A889-73D026DB1D4B\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHBA-2019:2816\",\"source\":\"jordan@liggitt.net\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHBA-2019:2824\",\"source\":\"jordan@liggitt.net\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2690\",\"source\":\"jordan@liggitt.net\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2769\",\"source\":\"jordan@liggitt.net\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/kubernetes/kubernetes/issues/80983\",\"source\":\"jordan@liggitt.net\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/d/msg/kubernetes-security-announce/vUtEcSEY6SM/v2ZZxsmtFQAJ\",\"source\":\"jordan@liggitt.net\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20190919-0003/\",\"source\":\"jordan@liggitt.net\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHBA-2019:2816\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHBA-2019:2824\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2690\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2769\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/kubernetes/kubernetes/issues/80983\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/d/msg/kubernetes-security-announce/vUtEcSEY6SM/v2ZZxsmtFQAJ\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20190919-0003/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.