CVE-2019-11254

Aliases:GHSA-wxc4-f4m6-wwqvGO-2020-0036
Advisory lineage Upstream: 0 Downstream: 6
Modified
Published: 01 Apr 2020, 20:30
Last modified:16 Sept 2024, 23:16

Vulnerability Summary

Overall Risk (default)
medium
26/100
CVSS Score
6.5 MEDIUM
v3.1 (cve.org)
EPSS Score
0.12% LOW
0% probability +0.01%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

01 Apr 2020, 20:30
Published
Vulnerability first disclosed
16 Sept 2024, 23:16
Last Modified
Vulnerability information updated

Description

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

CVSS Metrics

  • v3.1MEDIUMScore: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • v2.0MEDIUMScore: 4AV:N/AC:L/Au:S/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 0.12% Percentile: 31%

Techniques & Countermeasures

  • CWE-1050Excessive Platform Resource Consumption within a Loop

    The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.

Affected Systems

  • github.com/go-yamlyaml

    ≤ 2.1.0 | all

  • gopkg.inyaml.v2

    < 2.2.8

  • kuberneteskubernetes

    < 1.15.10 | ≥ 1.16.0, < 1.16.7 | ≥ 1.17.0, < 1.17.3 | prior to 1.15.10 | prior to 1.16.7 | prior to 1.17.3 | 1.1 | 1.2 | 1.3 | 1.4 | 1.5 | 1.6 | 1.7 | 1.8 | 1.9 | 1.10 | 1.11 | 1.12 | 1.13 | 1.14

References (10)