PT-2019-12213 · Kubernetes+1 · Kubernetes+1
Prabu Shyam
·
Published
2019-08-13
·
Updated
2022-05-24
·
CVE-2019-11247
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Kubernetes versions prior to 1.13.9
Kubernetes versions prior to 1.14.5
Kubernetes versions prior to 1.15.2
Kubernetes versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12
Description
The issue allows access to a cluster-scoped custom resource as if it were namespaced, leading to enforcement of authorizations using roles and role bindings within the namespace. This means a user with access only to a resource in one namespace could create, view, update, or delete the cluster-scoped resource according to their namespace role privileges.
Recommendations
For versions prior to 1.13.9, update to version 1.13.9 or later.
For versions prior to 1.14.5, update to version 1.14.5 or later.
For versions prior to 1.15.2, update to version 1.15.2 or later.
For versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12, update to a version that is not affected by this issue, such as version 1.13.9 or later.
Fix
Incorrect Authorization
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Kubernetes