CVE-2019-1002100 — Allocation of Resources Without Limits or Throttling in Kubernetes

CWE-770 — Allocation of Resources Without Limits or Throttling9 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

4.9%

top 10.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubernetes K8s.io Kubernetes Redhat Openshift Container Platform

Timeline

PublishedApr 1

Latest updateAug 20

Description

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶Gok8s.io/kubernetes1.11.0 — 1.11.8+4

▶CVEListV5kubernetes/kubernetesunspecified — v1.11.8+13

▶NVDkubernetes/kubernetes1.12.0 — 1.12.6+2

▶Debiankubernetes/kubernetes< 1.17.4-1+3

Also affects: Openshift Container Platform 3.10, 3.11

🔴Vulnerability Details

OSV

Kubernetes DoS Vulnerability in k8s.io/kubernetes↗2024-08-20

▶

GHSA

Kubernetes DoS Vulnerability↗2022-05-13

▶

OSV

Kubernetes DoS Vulnerability↗2022-05-13

▶

CVEList

CVE-2019-1002100: In all Kubernetes versions prior to v1↗2019-04-01

▶

OSV

CVE-2019-1002100: In all Kubernetes versions prior to v1↗2019-04-01

▶

📋Vendor Advisories

Red Hat

kube-apiserver: DoS with crafted patch of type json-patch↗2019-02-28

▶

Debian

CVE-2019-1002100: kubernetes - In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that ar...↗2019

▶

💬Community

Bugzilla

CVE-2019-1002100 kube-apiserver: DoS with crafted patch of type json-patch↗2019-02-26

▶