In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit `runAsUser` attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified `mustRunAsNonRoot: true`, the kubelet will refuse to start the container as root. If the pod did not specify `mustRunAsNonRoot: true`, the kubelet will run the container as uid 0.

Affected Packages

Go k8s.io/kubernetes/cmd/kubelet

Affected versions: 1.14.0 (fixed in 1.14.3)

Go k8s.io/kubernetes/cmd/kubelet

Affected versions: 1.13.0 (fixed in 1.13.7)

Related CVEs

CVE-2019-11245

Key Information

GHSA ID

GHSA-r76g-g87f-vw8f

Published

April 24, 2024 8:03 PM

Last Modified

June 10, 2024 7:33 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

k8s.io/kubernetes/cmd/kubelet

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 16, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.