Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2019-11253 — Improper Input Validation in Kubernetes
Severity
7.5HIGHNVD
EPSS
83.8%
top 0.71%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedOct 17
Latest updateAug 21
Description
Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more per…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages5 packages
Also affects: Openshift Container Platform 3.10, 3.11, 3.9
🔴Vulnerability Details
7OSV▶
XML Entity Expansion and Improper Input Validation in Kubernetes API server in k8s.io/kubernetes↗2024-08-21
OSV▶
Kubernetes apimachinery packages vulnerable to unbounded recursion in JSON or YAML parsing↗2023-02-08
GHSA▶
Kubernetes apimachinery packages vulnerable to unbounded recursion in JSON or YAML parsing↗2023-02-08
💥Exploits & PoCs
1Nuclei▶
Kubernetes API Server - YAML Parsing DoS (Billion Laughs)