Vulnerability Details : CVE-2019-11255
Improper input validation in Kubernetes CSI sidecar containers for external-provisioner (<v0.4.3, <v1.0.2, v1.1, <v1.2.2, <v1.3.1), external-snapshotter (<v0.4.2, <v1.0.2, v1.1, <1.2.2), and external-resizer (v0.1, v0.2) could result in unauthorized PersistentVolume data access or volume mutation during snapshot, restore from snapshot, cloning and resizing operations.
Vulnerability category: Input validation
Products affected by CVE-2019-11255
- cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*
- Kubernetes » External-provisionerVersions from including (>=) 1.1.0 and up to, including, (<=) 1.2.1cpe:2.3:a:kubernetes:external-provisioner:*:*:*:*:*:*:*:*
- Kubernetes » External-provisionerVersions from including (>=) 0.4.1 and up to, including, (<=) 0.4.2cpe:2.3:a:kubernetes:external-provisioner:*:*:*:*:*:*:*:*
- Kubernetes » External-provisionerVersions from including (>=) 1.0.0 and up to, including, (<=) 1.0.1cpe:2.3:a:kubernetes:external-provisioner:*:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:external-provisioner:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:external-resizer:*:*:*:*:*:*:*:*
- Kubernetes » External-snapshotterVersions from including (>=) 1.1.0 and up to, including, (<=) 1.2.1cpe:2.3:a:kubernetes:external-snapshotter:*:*:*:*:*:*:*:*
- Kubernetes » External-snapshotterVersions from including (>=) 0.4.0 and up to, including, (<=) 0.4.1cpe:2.3:a:kubernetes:external-snapshotter:*:*:*:*:*:*:*:*
- Kubernetes » External-snapshotterVersions from including (>=) 1.0.0 and up to, including, (<=) 1.0.1cpe:2.3:a:kubernetes:external-snapshotter:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-11255
0.86%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-11255
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:N |
8.0
|
4.9
|
NIST | |
|
4.8
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N |
0.5
|
4.2
|
Kubernetes | |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |
1.2
|
5.2
|
NIST |
CWE ids for CVE-2019-11255
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by:
- jordan@liggitt.net (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2019-11255
-
https://access.redhat.com/errata/RHSA-2019:4225
RHSA-2019:4225 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4096
RHSA-2019:4096 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20200810-0003/
CVE-2019-11255 Kubernetes Vulnerability in NetApp Products | NetApp Product Security
-
https://access.redhat.com/errata/RHSA-2019:4099
RHSA-2019:4099 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://github.com/kubernetes/kubernetes/issues/85233
CVE-2019-11255: CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation · Issue #85233 · kubernetes/kubernetes · GitHubMitigation;Third Party Advisory
-
https://groups.google.com/forum/#!topic/kubernetes-security-announce/aXiYN0q4uIw
Google GroepenMailing List;Mitigation;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4054
RHSA-2019:4054 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to