CVE-2019-11245

Public Exploit
kubelet-started container uid changes to root after first restart or if image is already pulled to the node

Description

In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.

Remediation

Workaround:

  • Specify runAsUser directives in pods to control the uid a container runs as. Specify mustRunAsNonRoot:true directives in pods to prevent starting as root (note this means the attempt to start the container will fail on affected kubelet versions).

Categories

4.9
CVSS
Severity: Medium
CVSS 3.0 •
CVSS 2.0 •
EPSS 0.12%
Third-Party Advisory github.com
Affected: Kubernetes Kubernetes
Published at:
Updated at:

References

Link Tags
https://github.com/kubernetes/kubernetes/issues/78308 exploit third party advisory patch
https://security.netapp.com/advisory/ntap-20190919-0003/

Frequently Asked Questions

What is the severity of CVE-2019-11245?
CVE-2019-11245 has been scored as a medium severity vulnerability.
How to fix CVE-2019-11245?
As a workaround for remediating CVE-2019-11245: Specify runAsUser directives in pods to control the uid a container runs as. Specify mustRunAsNonRoot:true directives in pods to prevent starting as root (note this means the attempt to start the container will fail on affected kubelet versions).
Is CVE-2019-11245 being actively exploited in the wild?
It is possible that CVE-2019-11245 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2019-11245?
CVE-2019-11245 affects Kubernetes Kubernetes.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.