CVE-2019-11255
MEDIUMKubernetes CSI Sidecar Containers - Unauthorized PersistentVolume Data Access via Improper Input Validation
Title source: llmDescription
Improper input validation in Kubernetes CSI sidecar containers for external-provisioner (<v0.4.3, <v1.0.2, v1.1, <v1.2.2, <v1.3.1), external-snapshotter (<v0.4.2, <v1.0.2, v1.1, <1.2.2), and external-resizer (v0.1, v0.2) could result in unauthorized PersistentVolume data access or volume mutation during snapshot, restore from snapshot, cloning and resizing operations.
References (7)
Core 7
Core References
Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/kubernetes/kubernetes/issues/85233
Mailing List mailing-list
x_refsource_mlist
https://groups.google.com/forum/#%21topic/kubernetes-security-announce/aXiYN0q4uIw
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:4099
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:4096
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:4054
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:4225
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200810-0003/
Scores
CVSS v3
4.8
EPSS
0.0082
EPSS Percentile
74.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N
Details
CWE
CWE-20
Status
published
Products (10)
kubernetes/external-provisioner
1.3.0
kubernetes/external-provisioner
0.4.1 - 0.4.2
kubernetes/external-resizer
0.1.0 - 0.2.0
kubernetes/external-snapshotter
0.4.0 - 0.4.1
kubernetes-csi/external-provisioner
0 - 0.4.3Go
kubernetes-csi/external-resizer
Go
kubernetes-csi/external-snapshotter
1.0.0 - 1.0.2Go
redhat/openshift_container_platform
3.11
redhat/openshift_container_platform
4.1
redhat/openshift_container_platform
4.2
Published
Dec 05, 2019
Tracked Since
Feb 18, 2026