Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-pmqp-h87c-mr78

GitHub Security Advisory

XML Entity Expansion and Improper Input Validation in Kubernetes API server

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility.

### Specific Go Packages Affected
k8s.io/kubernetes/pkg/apiserver

Affected Packages

Go k8s.io/kubernetes
Affected versions: 1.0.0 (fixed in 1.13.12)
Go k8s.io/kubernetes
Affected versions: 1.14.0 (fixed in 1.14.8)
Go k8s.io/kubernetes
Affected versions: 1.15.0 (fixed in 1.15.5)
Go k8s.io/kubernetes
Affected versions: 1.16.0 (fixed in 1.16.2)

Related CVEs

CVE-2019-11253

Key Information

GHSA ID
GHSA-pmqp-h87c-mr78
Published
May 18, 2021 3:38 PM
Last Modified
September 29, 2023 3:22 PM
CVSS Score
7.5 /10
Primary Ecosystem
Go
Primary Package
k8s.io/kubernetes
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 15, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.