CVE-2019-11243 — Privilege Dropping / Lowering Errors in Kubernetes
Severity
8.1HIGHNVD
EPSS
0.2%
top 53.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 22
Latest updateMay 5
Description
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9
Affected Packages3 packages
🔴Vulnerability Details
4OSV
▶
📋Vendor Advisories
2💬Community
7Bugzilla▶
CVE-2019-11243 kubernetes:openshift-3.10/origin: kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-29]↗2019-05-27
Bugzilla▶
CVE-2019-11243 kubernetes:1.1/kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-29]↗2019-04-25
Bugzilla▶
CVE-2019-11243 kubernetes:openshift-3.10/origin: kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-29]↗2019-04-25
Bugzilla▶
CVE-2019-11243 kubernetes: Authentication information exposure in rest.AnonymousClientConfig()↗2019-04-25
Bugzilla▶
CVE-2019-11243 kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-all]↗2019-04-25