Vulnerability Description
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kubernetes | Kubernetes | < 1.15.10 |
Related Weaknesses (CWE)
References
- https://github.com/kubernetes/kubernetes/issues/89535Third Party Advisory
- https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJThird Party Advisory
- https://security.netapp.com/advisory/ntap-20200413-0003/Third Party Advisory
- https://github.com/kubernetes/kubernetes/issues/89535Third Party Advisory
- https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJThird Party Advisory
- https://security.netapp.com/advisory/ntap-20200413-0003/Third Party Advisory
FAQ
What is CVE-2019-11254?
CVE-2019-11254 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to co...
How severe is CVE-2019-11254?
CVE-2019-11254 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-11254?
Check the references section above for vendor advisories and patch information. Affected products include: Kubernetes Kubernetes.