CVE-2019-11253

HIGH

Published 2019-10-17T15:40:10.154574Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2019-11253. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1

7.5

/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score Metrics

Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14

0.398

probability

of exploitation in the wild

There is a 39.8% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25

Exploit Probability

Percentile: 0.971

Higher than 97.1% of all CVEs

Attack Vector Metrics

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Impact Metrics

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Description

Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Kubernetes

Affected Versions:

prior to 1.13.12 prior to 1.14.8 prior to 1.15.5 prior to 1.16.2 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

XML Entity Expansion and Improper Input Validation in Kubernetes API server

GHSA-pmqp-h87c-mr78

Advisory Details

Affected Packages

Go k8s.io/kubernetes

ECOSYSTEM: ≥1.0.0 <1.13.12

Go k8s.io/kubernetes

ECOSYSTEM: ≥1.14.0 <1.14.8

Go k8s.io/kubernetes

ECOSYSTEM: ≥1.15.0 <1.15.5

Go k8s.io/kubernetes

ECOSYSTEM: ≥1.16.0 <1.16.2

CVSS Scoring

CVSS Score

7.5

CVSS Vector


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-11253

WEB https://github.com/kubernetes/kubernetes/issues/83253

WEB https://github.com/kubernetes/kubernetes/pull/83261

WEB https://access.redhat.com/errata/RHSA-2019:3239

WEB https://access.redhat.com/errata/RHSA-2019:3811

WEB https://access.redhat.com/errata/RHSA-2019:3905

WEB https://gist.github.com/bgeesaman/0e0349e94cd22c48bf14d8a9b7d6b8f2

WEB https://groups.google.com/forum/#!topic/kubernetes-security-announce/jk8polzSUxs

WEB https://security.netapp.com/advisory/ntap-20191031-0006

Advisory provided by GitHub Security Advisory Database. Published: May 18, 2021, Modified: September 29, 2023

References

https://github.com/kubernetes/kubernetes/issues/83253

https://groups.google.com/forum/#%21topic/kubernetes-security-announce/jk8polzSUxs

https://access.redhat.com/errata/RHSA-2019:3239

https://security.netapp.com/advisory/ntap-20191031-0006/

https://access.redhat.com/errata/RHSA-2019:3811

https://access.redhat.com/errata/RHSA-2019:3905

Published: 2019-10-17T15:40:10.154574Z

Last Modified: 2024-09-16T23:21:47.959Z

Copied to clipboard!

CVE-2019-11253

Expert Analysis

CVSS Score

EPSS Score

Attack Vector Metrics

Impact Metrics

Description

Available Exploits

Related News

Affected Products

Kubernetes

Affected Versions:

GitHub Security Advisories

XML Entity Expansion and Improper Input Validation in Kubernetes API server

Advisory Details

Affected Packages

CVSS Scoring

CVSS Score

CVSS Vector

References

References

Request Analysis

What to expect

Request Received!