Rapid7 Vulnerability & Exploit Database

Red Hat OpenShift: CVE-2019-11247: kubernetes: API server allows access to cluster-scoped custom resources as if resources were namespaced

Free InsightVM Trial No Credit Card Necessary

Watch Demo See how it all works

Back to Search

Red Hat OpenShift: CVE-2019-11247: kubernetes: API server allows access to cluster-scoped custom resources as if resources were namespaced

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:P/A:P)

Published

08/16/2019

Created

08/17/2019

Added

08/16/2019

Modified

05/10/2023

Description

The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.

Solution(s)

linuxrpm-upgrade-ansible-service-broker
linuxrpm-upgrade-atomic-openshift
linuxrpm-upgrade-atomic-openshift-descheduler
linuxrpm-upgrade-atomic-openshift-dockerregistry
linuxrpm-upgrade-atomic-openshift-node-problem-detector
linuxrpm-upgrade-atomic-openshift-web-console
linuxrpm-upgrade-cockpit
linuxrpm-upgrade-containernetworking-plugins
linuxrpm-upgrade-cri-o
linuxrpm-upgrade-cri-tools
linuxrpm-upgrade-golang-github-openshift-oauth-proxy
linuxrpm-upgrade-golang-github-openshift-prometheus-alert-buffer
linuxrpm-upgrade-golang-github-prometheus-alertmanager
linuxrpm-upgrade-golang-github-prometheus-node_exporter
linuxrpm-upgrade-golang-github-prometheus-prometheus
linuxrpm-upgrade-golang-github-prometheus-promu
linuxrpm-upgrade-hawkular-openshift-agent
linuxrpm-upgrade-heapster
linuxrpm-upgrade-image-inspector
linuxrpm-upgrade-openshift
linuxrpm-upgrade-openshift-enterprise-image-registry
linuxrpm-upgrade-openshift-eventrouter
linuxrpm-upgrade-openshift-external-storage
linuxrpm-upgrade-openvswitch-ovn-kubernetes

References

https://attackerkb.com/topics/cve-2019-11247
CVE - 2019-11247
RHBA-2019:2816
RHBA-2019:2824
RHSA-2019:2504
RHSA-2019:2690
RHSA-2019:2769

Advanced vulnerability management analytics and reporting.

Key Features

Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;

Rapid7 Vulnerability & Exploit Database

Red Hat OpenShift: CVE-2019-11247: kubernetes: API server allows access to cluster-scoped custom resources as if resources were namespaced

Red Hat OpenShift: CVE-2019-11247: kubernetes: API server allows access to cluster-scoped custom resources as if resources were namespaced

Description

Solution(s)

References

Success! Thank you for submission. We will be in touch shortly.

Oops! There was a problem in submission. Please try again.

Submit your information and we will get in touch with you.