CVE-2019-11247

Kubernetes kube-apiserver allows access to custom resources via wrong scope

Description

The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.

Remediation

Workaround:

  • To mitigate, remove authorization rules that grant access to cluster-scoped resources within namespaces. For example, RBAC roles and clusterroles intended to be referenced by namespaced rolebindings should not grant access to resources:[*], apiGroups:[*], or grant access to cluster-scoped custom resources.

Categories

8.1
CVSS
Severity: High
CVSS 3.1 •
CVSS 3.0 •
CVSS 2.0 •
EPSS 0.46%
Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com
Affected: Kubernetes Kubernetes
Published at:
Updated at:

References

Link Tags
https://github.com/kubernetes/kubernetes/issues/80983 third party advisory
https://groups.google.com/d/msg/kubernetes-security-announce/vUtEcSEY6SM/v2ZZxsmtFQAJ third party advisory mailing list
https://access.redhat.com/errata/RHSA-2019:2690 third party advisory vendor advisory
https://security.netapp.com/advisory/ntap-20190919-0003/ third party advisory
https://access.redhat.com/errata/RHBA-2019:2816 third party advisory vendor advisory
https://access.redhat.com/errata/RHBA-2019:2824 third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2019:2769 third party advisory vendor advisory

Frequently Asked Questions

What is the severity of CVE-2019-11247?
CVE-2019-11247 has been scored as a high severity vulnerability.
How to fix CVE-2019-11247?
As a workaround for remediating CVE-2019-11247: To mitigate, remove authorization rules that grant access to cluster-scoped resources within namespaces. For example, RBAC roles and clusterroles intended to be referenced by namespaced rolebindings should not grant access to resources:[*], apiGroups:[*], or grant access to cluster-scoped custom resources.
Is CVE-2019-11247 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2019-11247 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2019-11247?
CVE-2019-11247 affects Kubernetes Kubernetes.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.