CVE-2019-11255 — Improper Input Validation in Kubernetes Kubernetes-csi External-provisioner

CWE-20 — Improper Input Validation6 documents6 sources

Severity

6.5MEDIUMNVD

CNA4.8

EPSS

0.9%

top 25.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubernetes Kubernetes-csi External-provisioner Github.com Kubernetes-csi External-provisioner Github.com Kubernetes-csi External-snapshotter V6 +6 more

Timeline

PublishedDec 5

Latest updateMay 24

Description

Improper input validation in Kubernetes CSI sidecar containers for external-provisioner (<v0.4.3, <v1.0.2, v1.1, <v1.2.2, <v1.3.1), external-snapshotter (<v0.4.2, <v1.0.2, v1.1, <1.2.2), and external-resizer (v0.1, v0.2) could result in unauthorized PersistentVolume data access or volume mutation during snapshot, restore from snapshot, cloning and resizing operations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 1.2 | Impact: 5.2

Affected Packages8 packages

▶Gogithub.com/kubernetes-csi_external-snapshotter_v61.0.0 — 1.0.2+1

▶NVDkubernetes/external-snapshotter0.4.0 — 0.4.1+2

▶CVEListV5kubernetes/kubernetes-csi_external-snapshotter4 versions+3

▶CVEListV5kubernetes/kubernetes-csi_external-provisionerv1.14 — prior to 0.4.3+4

▶Gogithub.com/kubernetes-csi_external-provisioner1.0.0 — 1.0.2+3

Also affects: Openshift Container Platform 3.11, 4.1, 4.2

🔴Vulnerability Details

OSV

Kubernetes CSI Sidecar Containers Can Allow Unauthorized Data Access↗2022-05-24

▶

GHSA

Kubernetes CSI Sidecar Containers Can Allow Unauthorized Data Access↗2022-05-24

▶

CVEList

Kubernetes CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation↗2019-12-05

▶

📋Vendor Advisories

Red Hat

kubernetes-csi: CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation↗2019-11-15

▶

💬Community

Bugzilla

CVE-2019-11255 kubernetes-csi: CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation↗2019-11-15

▶

External resources

NVD MITRE

Affected products9

Github.com Kubernetes-csi External-provisioner≥ 0, < 0.4.3≥ 1.0.0, < 1.0.2≥ 1.2.0, < 1.2.2+1 more

Github.com Kubernetes-csi External-snapshotter V6≥ 1.0.0, < 1.0.2≥ 1.2.0, < 1.2.2

Kubernetes External-provisioner≥ 0.4.1, ≤ 0.4.2≥ 1.0.0, ≤ 1.0.1≥ 1.1.0, ≤ 1.2.1+1 more

Kubernetes External-resizer≥ 0.1.0, ≤ 0.2.0

Kubernetes External-snapshotter≥ 0.4.0, ≤ 0.4.1≥ 1.0.0, ≤ 1.0.1≥ 1.1.0, ≤ 1.2.1

Kubernetes Kubernetes-csi External-provisioner≥ v1.14, < prior to 0.4.3v1.1vprior to 1.0.2+2 more

Kubernetes Kubernetes-csi External-resizerv0.1v0.2

Kubernetes Kubernetes-csi External-snapshotterv1.1vprior to 0.4.2vprior to 1.0.2+1 more

Redhat Openshift Container Platformv3.11v4.1v4.2

Disclosure

PublishedDec 5, 2019

Latest updateMay 24, 2022