CVE-2019-11247

HIGH

Kubernetes < 1.13.9, < 1.14.5, < 1.15.2 - Unauthorized Cluster-Scoped Custom Resource Access via Namespace Impersonation

Title source: llm
STIX 2.1

Description

The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.

References (7)

Core 7
Core References
Third Party Advisory x_refsource_confirm
https://github.com/kubernetes/kubernetes/issues/80983
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2690
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190919-0003/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:2816
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:2824
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2769

Scores

CVSS v3 8.1
EPSS 0.0018
EPSS Percentile 38.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-20 CWE-863
Status published
Products (6)
k8s.io/apiextensions-apiserver 0.7.0 - 0.13.9Go
kubernetes/kubernetes 1.12.11 beta0
kubernetes/kubernetes 1.7.0 - 1.12.10
redhat/openshift_container_platform 3.9
redhat/openshift_container_platform 3.10
redhat/openshift_container_platform 3.11
Published Aug 29, 2019
Tracked Since Feb 18, 2026