{"containers": {"cna": {"affected": [{"product": "Kubernetes", "vendor": "Kubernetes", "versions": [{"status": "affected", "version": "prior to 1.13.9"}, {"status": "affected", "version": "prior to 1.14.5"}, {"status": "affected", "version": "prior to 1.15.2"}, {"status": "affected", "version": "1.7"}, {"status": "affected", "version": "1.8"}, {"status": "affected", "version": "1.9"}, {"status": "affected", "version": "1.10"}, {"status": "affected", "version": "1.11"}, {"status": "affected", "version": "1.12"}]}], "credits": [{"lang": "en", "value": "Prabu Shyam, Verizon Media"}], "datePublic": "2019-08-05T00:00:00", "descriptions": [{"lang": "en", "value": "The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-10-24T22:06:25", "orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kubernetes/kubernetes/issues/80983"}, {"name": "v1.13.9, v1.14.5, v1.15.2 released to address CVE-2019-11247, CVE-2019-11249", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://groups.google.com/d/msg/kubernetes-security-announce/vUtEcSEY6SM/v2ZZxsmtFQAJ"}, {"name": "RHSA-2019:2690", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2690"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20190919-0003/"}, {"name": "RHBA-2019:2816", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHBA-2019:2816"}, {"name": "RHBA-2019:2824", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHBA-2019:2824"}, {"name": "RHSA-2019:2769", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2769"}], "source": {"defect": ["https://github.com/kubernetes/kubernetes/issues/80983"], "discovery": "USER"}, "title": "Kubernetes kube-apiserver allows access to custom resources via wrong scope", "workarounds": [{"lang": "en", "value": "To mitigate, remove authorization rules that grant access to cluster-scoped resources within namespaces. For example, RBAC roles and clusterroles intended to be referenced by namespaced rolebindings should not grant access to resources:[*], apiGroups:[*], or grant access to cluster-scoped custom resources."}], "x_generator": {"engine": "Vulnogram 0.0.7"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "security@kubernetes.io", "DATE_PUBLIC": "2019-08-05", "ID": "CVE-2019-11247", "STATE": "PUBLIC", "TITLE": "Kubernetes kube-apiserver allows access to custom resources via wrong scope"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kubernetes", "version": {"version_data": [{"version_value": "prior to 1.13.9"}, {"version_value": "prior to 1.14.5"}, {"version_value": "prior to 1.15.2"}, {"version_value": "1.7"}, {"version_value": "1.8"}, {"version_value": "1.9"}, {"version_value": "1.10"}, {"version_value": "1.11"}, {"version_value": "1.12"}]}}]}, "vendor_name": "Kubernetes"}]}}, "configuration": [], "credit": [{"lang": "eng", "value": "Prabu Shyam, Verizon Media"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12."}]}, "exploit": [], "generator": {"engine": "Vulnogram 0.0.7"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20: Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/kubernetes/kubernetes/issues/80983", "refsource": "CONFIRM", "url": "https://github.com/kubernetes/kubernetes/issues/80983"}, {"name": "v1.13.9, v1.14.5, v1.15.2 released to address CVE-2019-11247, CVE-2019-11249", "refsource": "MLIST", "url": "https://groups.google.com/d/msg/kubernetes-security-announce/vUtEcSEY6SM/v2ZZxsmtFQAJ"}, {"name": "RHSA-2019:2690", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2690"}, {"name": "https://security.netapp.com/advisory/ntap-20190919-0003/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20190919-0003/"}, {"name": "RHBA-2019:2816", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHBA-2019:2816"}, {"name": "RHBA-2019:2824", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHBA-2019:2824"}, {"name": "RHSA-2019:2769", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2769"}]}, "solution": [], "source": {"advisory": "", "defect": ["https://github.com/kubernetes/kubernetes/issues/80983"], "discovery": "USER"}, "work_around": [{"lang": "en", "value": "To mitigate, remove authorization rules that grant access to cluster-scoped resources within namespaces. For example, RBAC roles and clusterroles intended to be referenced by namespaced rolebindings should not grant access to resources:[*], apiGroups:[*], or grant access to cluster-scoped custom resources."}]}}}, "cveMetadata": {"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "assignerShortName": "kubernetes", "cveId": "CVE-2019-11247", "datePublished": "2019-08-05T00:00:00", "dateReserved": "2019-04-17T00:00:00", "dateUpdated": "2019-10-24T22:06:25", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "A582FE75-D84B-4C8F-B836-95FB15F68EBA", "versionEndIncluding": "1.12.10", "versionStartIncluding": "1.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "14126DA1-4F03-43D3-BD14-0BE06EC8F4E5", "versionEndExcluding": "1.13.9", "versionStartIncluding": "1.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "E10D117F-F0C4-4355-98E3-BB4A401258DE", "versionEndExcluding": "1.14.5", "versionStartIncluding": "1.14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "2BECD4DB-0E6B-4C4A-B714-F6E4724BD0F6", "versionEndExcluding": "1.15.2", "versionStartIncluding": "1.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:1.12.11:beta0:*:*:*:*:*:*", "matchCriteriaId": "3EAFE32A-5295-4A4B-9EC1-A1DB3CAE3DC8", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.9:*:*:*:*:*:*:*", "matchCriteriaId": "309CB6F8-F178-454C-BE97-787F78647C28", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.10:*:*:*:*:*:*:*", "matchCriteriaId": "4DBCD38F-BBE8-488C-A8C3-5782F191D915", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*", "matchCriteriaId": "2F87326E-0B56-4356-A889-73D026DB1D4B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12."}, {"lang": "es", "value": "El kube-apiserver de Kubernetes permite por error el acceso a un recurso personalizado de \u00e1mbito de cl\u00faster si la solicitud se realiza como si el recurso estuviera con espacio de nombres. Las autorizaciones para el recurso al que se tiene acceso de esta manera se aplican mediante roles y enlaces de roles dentro del espacio de nombres, lo que significa que un usuario con acceso solo a un recurso en un espacio de nombres podr\u00eda crear, ver actualizar o eliminar el recurso de \u00e1mbito de cl\u00faster (seg\u00fan sus privilegios de rol de espacio de nombres). Las versiones afectadas de Kubernetes incluyen versiones anteriores a 1.13.9, versiones anteriores a 1.14.5, versiones anteriores a 1.15.2 y versiones 1.7, 1.8, 1.9, 1.10, 1.11, 1.12."}], "id": "CVE-2019-11247", "lastModified": "2020-10-02T16:21:57.087", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "jordan@liggitt.net", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-29T01:15:11.287", "references": [{"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHBA-2019:2816"}, {"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHBA-2019:2824"}, {"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2690"}, {"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2769"}, {"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/80983"}, {"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://groups.google.com/d/msg/kubernetes-security-announce/vUtEcSEY6SM/v2ZZxsmtFQAJ"}, {"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20190919-0003/"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "jordan@liggitt.net", "type": "Secondary"}]}

{}