CVE-2019-11255

Published Dec 5, 2019

Last updated a year ago

CVSS medium 6.5

Overview

Description: Improper input validation in Kubernetes CSI sidecar containers for external-provisioner (<v0.4.3, <v1.0.2, v1.1, <v1.2.2, <v1.3.1), external-snapshotter (<v0.4.2, <v1.0.2, v1.1, <1.2.2), and external-resizer (v0.1, v0.2) could result in unauthorized PersistentVolume data access or volume mutation during snapshot, restore from snapshot, cloning and resizing operations.
Source: jordan@liggitt.net
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 6.5
Impact score: 5.2
Exploitability score: 1.2
Vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Severity: MEDIUM

CVSS 2.0

Type: Primary
Base score: 5.5
Impact score: 4.9
Exploitability score: 8
Vector string: AV:N/AC:L/Au:S/C:P/I:P/A:N

Weaknesses

nvd@nist.gov: CWE-20
jordan@liggitt.net: CWE-20

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:kubernetes:external-provisioner:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9A78A50B-5286-400D-A54A-49F1023D97D6",
            "versionEndIncluding": "0.4.2",
            "versionStartIncluding": "0.4.1"
          },
          {
            "criteria": "cpe:2.3:a:kubernetes:external-provisioner:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A5CDEBDE-A093-4D75-A289-7F8D8F47C163",
            "versionEndIncluding": "1.0.1",
            "versionStartIncluding": "1.0.0"
          },
          {
            "criteria": "cpe:2.3:a:kubernetes:external-provisioner:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8CD30FBE-792A-42E3-9FAA-3122EBBEFC4C",
            "versionEndIncluding": "1.2.1",
            "versionStartIncluding": "1.1.0"
          },
          {
            "criteria": "cpe:2.3:a:kubernetes:external-provisioner:1.3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "686C1D64-DB77-451E-A3EC-9A415F7EAA2B"
          },
          {
            "criteria": "cpe:2.3:a:kubernetes:external-resizer:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "920BC20F-8C59-4A34-AA0C-EBFD469C59C3",
            "versionEndIncluding": "0.2.0",
            "versionStartIncluding": "0.1.0"
          },
          {
            "criteria": "cpe:2.3:a:kubernetes:external-snapshotter:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B2DDFBDD-3AA1-40E4-B349-90D40C6E70F9",
            "versionEndIncluding": "0.4.1",
            "versionStartIncluding": "0.4.0"
          },
          {
            "criteria": "cpe:2.3:a:kubernetes:external-snapshotter:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F14DDAA3-4DD3-43D9-B934-4856C9A6B138",
            "versionEndIncluding": "1.0.1",
            "versionStartIncluding": "1.0.0"
          },
          {
            "criteria": "cpe:2.3:a:kubernetes:external-snapshotter:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0279E824-AF71-4EA1-8F41-3FAF256DC6EC",
            "versionEndIncluding": "1.2.1",
            "versionStartIncluding": "1.1.0"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2F87326E-0B56-4356-A889-73D026DB1D4B"
          },
          {
            "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "064E7BDD-4EF0-4A0D-A38D-8C75BAFEDCEF"
          },
          {
            "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4C85A84D-A70F-4B02-9E5D-CD9660ABF048"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References