CVE-2019-11254Excessive Platform Resource Consumption within a Loop in Yaml.v2

CWE-1050Excessive Platform Resource Consumption within a LoopCWE-400Uncontrolled Resource Consumption9 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 68.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
KubernetesGopkg.in Yaml.v2Debian Kubernetes+1 more
Timeline
PublishedApr 1
Latest updateDec 21

Description

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

Gogopkg.in/yaml.v2< 2.2.8
debiandebian/kubernetes< kubernetes 1.17.4-1 (bookworm)
NVDkubernetes/kubernetes1.16.01.16.7+2
Debiankubernetes/kubernetes< 1.17.4-1+3

🔴Vulnerability Details

4
GHSA
Excessive Platform Resource Consumption within a Loop in Kubernetes2021-12-20
OSV
Excessive Platform Resource Consumption within a Loop in Kubernetes2021-12-20
OSV
Excessive resource consumption in YAML parsing in gopkg.in/yaml.v22021-04-14
OSV
CVE-2019-11254: The Kubernetes API Server component in versions 12020-04-01

📋Vendor Advisories

2
Red Hat
kubernetes: Denial of service in API server via crafted YAML payloads by authorized users2020-03-27
Debian
CVE-2019-11254: kubernetes - The Kubernetes API Server component in versions 1.1-1.14, and versions prior to ...2019

📄Research Papers

1
arXiv
KGSecConfig: A Knowledge Graph Based Approach for Secured Container Orchestrator Configuration2021-12-21

💬Community

1
Bugzilla
CVE-2019-11254 kubernetes: Denial of service in API server via crafted YAML payloads by authorized users2020-04-01
CVE-2019-11254 — Gopkg.in Yaml.v2 vulnerability | cvebase