PT-2019-12213 · Kubernetes+1 · Kubernetes+1
Prabu Shyam
·
Publicado
2019-08-13
·
Atualizado
2022-05-24
·
CVE-2019-11247
CVSS v3.1
8.1
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Kubernetes versions prior to 1.13.9
Kubernetes versions prior to 1.14.5
Kubernetes versions prior to 1.15.2
Kubernetes versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12
Description
The issue allows access to a cluster-scoped custom resource as if it were namespaced, leading to enforcement of authorizations using roles and role bindings within the namespace. This means a user with access only to a resource in one namespace could create, view, update, or delete the cluster-scoped resource according to their namespace role privileges.
Recommendations
For versions prior to 1.13.9, update to version 1.13.9 or later.
For versions prior to 1.14.5, update to version 1.14.5 or later.
For versions prior to 1.15.2, update to version 1.15.2 or later.
For versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12, update to a version that is not affected by this issue, such as version 1.13.9 or later.
Correção
Incorrect Authorization
RCE
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Alt Linux
Kubernetes