cbcvebase.
CVE-2019-11248
published 2019-08-29

CVE-2019-11248: The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port…

PriorityP182high8.2CVSS 3.1
AVNACLPRNUINSUCHINAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
61.14%
99.0th percentile
The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.

Affected

34 ranges· showing 25
VendorProductVersion rangeFixed in
debiankubernetes< kubernetes 1.17.4-1 (bookworm)kubernetes 1.17.4-1 (bookworm)
kuberneteskubernetes< 1.12.101.12.10
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes

Detection & IOCsextracted from sources · hover to see the quote

path/debug/pprof/
path/debug/pprof/goroutine?debug=1
port10248
  • HTTP GET request to /debug/pprof/ or /debug/pprof/goroutine?debug=1 on the Kubelet healthz port (default 10248, also seen on 9100); match response body for strings indicating pprof exposure.
  • Check Kubelet configuration for a non-localhost healthzBindAddress (--health-bind-address); if set to a non-loopback address on versions prior to 1.15.0, 1.14.4, 1.13.8, or 1.12.10, the node is exposed.
  • Verify healthzPort is not 0 (disabled) and healthzBindAddress is not 127.0.0.1 by querying: kubectl get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq -r '.kubeletconfig.healthzBindAddress, .kubeletconfig.healthzPort'
  • Shodan/FOFA hunting: search for Kubernetes nodes exposing the pprof debug endpoint using query 'http.title:"kubernetes web view"'.
  • ·The vulnerability is NOT exposed by the default Kubelet configuration; the healthz endpoint binds to localhost (127.0.0.1:10248) by default, limiting exposure to pods or processes in the host network namespace.
  • ·OpenShift Container Platform 3 is not affected because the kubelet healthz server is disabled by default (healthzPort=0).
  • ·OpenShift Container Platform 4 enables /debug/pprof on the kubelet healthz server but restricts it to local traffic only.
  • ·Affected versions are strictly prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10; patched versions are not vulnerable.

CVSS provenance

nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
osv8.2HIGH
vulncheck8.2HIGH
vendor_debian8.2HIGH
vendor_redhat8.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.