CVE-2019-1002100
MEDIUMKubernetes < 1.11.8, 1.12.6, 1.13.4 - Denial of Service via JSON Patch Request
Title source: llmDescription
In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server.
References (6)
Core 6
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/107290
Mailing List x_refsource_confirm
https://groups.google.com/forum/#%21topic/kubernetes-announce/vmUUNkYfG9g
Issue Tracking, Vendor Advisory x_refsource_confirm
https://github.com/kubernetes/kubernetes/issues/74534
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190416-0002/
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1851
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3239
Scores
CVSS v3
6.5
EPSS
0.0268
EPSS Percentile
86.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-770
Status
published
Products (4)
k8s.io/kubernetes
1.0.0Go
kubernetes/kubernetes
< 1.11.8
redhat/openshift_container_platform
3.10
redhat/openshift_container_platform
3.11
Published
Apr 01, 2019
Tracked Since
Feb 18, 2026