Vulnerability Details CVE-2019-11243
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 47.4%
CVSS Severity
CVSS v3 Score 3.1
CVSS v2 Score 4.3
References
- http://www.securityfocus.com/bid/108053
- https://github.com/kubernetes/kubernetes/issues/76797
- https://security.netapp.com/advisory/ntap-20190509-0002/
- http://www.securityfocus.com/bid/108053
- https://github.com/kubernetes/kubernetes/issues/76797
- https://security.netapp.com/advisory/ntap-20190509-0002/
Products affected by CVE-2019-11243
-
cpe:2.3:a:kubernetes:kubernetes:1.12.0
-
cpe:2.3:a:kubernetes:kubernetes:1.12.1
-
cpe:2.3:a:kubernetes:kubernetes:1.12.2
-
cpe:2.3:a:kubernetes:kubernetes:1.12.3
-
cpe:2.3:a:kubernetes:kubernetes:1.12.4
-
cpe:2.3:a:kubernetes:kubernetes:1.13.0
-
cpe:2.3:a:netapp:trident:-