CVE-2019-1002100

Aliases:GHSA-q4rr-64r9-fwgfGO-2023-1946

Advisory lineage Upstream: 0 Downstream: 5

Downstream

DEBIAN-CVE-2019-1002100 OPENSUSE-SU-2025:15424-1 RHSA-2019:1851 RHSA-2019:3239 UBUNTU-CVE-2019-1002100

Modified

Published: 01 Apr 2019, 14:14

Last modified:05 Aug 2024, 03:00

Vulnerability Summary

Overall Risk (default)

medium

27/100

CVSS Score

6.5 MEDIUM

v3.0 (cve.org)

EPSS Score

2.68% LOW

3% probability -5.83%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

01 Apr 2019, 14:14

Published

Vulnerability first disclosed

05 Aug 2024, 03:00

Last Modified

Vulnerability information updated

Description

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server.

CVSS Metrics

v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
v3.0•MEDIUM•Score: 6.5CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
v2.0•MEDIUM•Score: 4AV:N/AC:L/Au:S/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 2.68%• Percentile: 86%

Techniques & Countermeasures

CWE-770•Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Affected Systems

k8s.io•kubernetes
≥ 1.0.0, ≤ 1.10.14 | ≥ 1.11.0, < 1.11.8 | ≥ 1.12.0, < 1.12.6 | ≥ 1.13.0, < 1.13.4
kubernetes•kubernetes
< 1.11.8 | ≥ 1.12.0, < 1.12.6 | ≥ 1.13.0, < 1.13.4 | v1.0.x | v1.1.x | v1.2.x | v1.3.x | v1.4.x | v1.5.x | v1.6.x | v1.7.x | v1.8.x | v1.9.x | v1.10.x | ≥ unspecified, < v1.11.8 | ≥ unspecified, < v1.12.6 | ≥ unspecified, < v1.13.4
redhat•openshift_container_platform
3.10 | 3.11