Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-11248Unprotected Primary Channel in Kubernetes

CWE-419Unprotected Primary ChannelCWE-862Missing AuthorizationCWE-284Improper Access Control11 documents10 sources
Severity
8.2HIGHNVD
EPSS
91.0%
top 0.36%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
KubernetesDebian Kubernetes
Timeline
PublishedAug 29
Latest updateJul 31

Description

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:LExploitability: 3.9 | Impact: 4.2

Affected Packages4 packages

debiandebian/kubernetes< kubernetes 1.17.4-1 (bookworm)
NVDkubernetes/kubernetes< 1.12.10+15
Debiankubernetes/kubernetes< 1.17.4-1+3
CVEListV5kubernetes/kubernetes13 versions+12

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-9frv-h2cf-52wh: The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port2022-05-24
OSV
CVE-2019-11248: The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port2019-08-29
VulnCheck
kubernetes kubernetes Unprotected Primary Channel2019

💥Exploits & PoCs

1
Nuclei
Debug Endpoint pprof - Exposure Detection

📋Vendor Advisories

2
Red Hat
kubernetes: /debug/pprof endpoint exposed on kubelet's healthz port2019-08-07
Debian
CVE-2019-11248: kubernetes - The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet ...2019

📄Research Papers

1
arXiv
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights2024-07-31

💬Community

3
HackerOne
CVE-2019-11248 on http://█.█.█.█:9100/debug/pprof/goroutine2022-07-18
Bugzilla
CVE-2019-11248 kubernetes: /debug/pprof endpoint exposed on kubelet's healthz port [fedora-all]2019-08-07
Bugzilla
CVE-2019-11248 kubernetes: /debug/pprof endpoint exposed on kubelet's healthz port2019-08-07
CVE-2019-11248 — Unprotected Primary Channel | cvebase