CVE-2019-11254

Kubernetes API Server denial of service vulnerability from malicious YAML payloads

CVSS 6.5 MEDIUMEPSS 2.3%CWE-1050

In short

The Kubernetes API Server can be made to consume excessive CPU resources when processing specially crafted YAML files, causing service slowdown or unavailability. An authorized user can exploit this to disrupt the cluster's management capabilities.

Technical detail

CVE-2019-11254 is a denial-of-service vulnerability in Kubernetes API Server (versions 1.1-1.14, and <1.15.10, <1.16.7, <1.17.3) triggered by malicious YAML payloads sent by authenticated users. The vulnerability stems from inefficient YAML parsing logic that allows crafted input to consume excessive CPU cycles, impacting API server availability and cluster operations.

Summary generated and translated by AI from the official description.

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected products

Kubernetes · Kubernetes

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/kubernetes/kubernetes/issues/89535 https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ https://security.netapp.com/advisory/ntap-20200413-0003/