CVE-2019-11255

Kubernetes CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation

Description

Improper input validation in Kubernetes CSI sidecar containers for external-provisioner (<v0.4.3, <v1.0.2, v1.1, <v1.2.2, <v1.3.1), external-snapshotter (<v0.4.2, <v1.0.2, v1.1, <1.2.2), and external-resizer (v0.1, v0.2) could result in unauthorized PersistentVolume data access or volume mutation during snapshot, restore from snapshot, cloning and resizing operations.

Remediation

Workaround:

  • Kubernetes feature gates can be disabled and RBAC permissions revoked from impacted CSI drivers, following instructions in https://github.com/kubernetes/kubernetes/issues/85233

Category

4.8
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.70% Top 30%
Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com
Affected: Kubernetes kubernetes-csi external-provisioner
Affected: Kubernetes kubernetes-csi external-snapshotter
Affected: Kubernetes kubernetes-csi external-resizer
Published at:
Updated at:

References

Link Tags
https://github.com/kubernetes/kubernetes/issues/85233 mitigation third party advisory
https://groups.google.com/forum/#%21topic/kubernetes-security-announce/aXiYN0q4uIw mailing list
https://access.redhat.com/errata/RHSA-2019:4099 third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2019:4096 third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2019:4054 third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2019:4225 third party advisory vendor advisory
https://security.netapp.com/advisory/ntap-20200810-0003/

Frequently Asked Questions

What is the severity of CVE-2019-11255?
CVE-2019-11255 has been scored as a medium severity vulnerability.
How to fix CVE-2019-11255?
As a workaround for remediating CVE-2019-11255: Kubernetes feature gates can be disabled and RBAC permissions revoked from impacted CSI drivers, following instructions in https://github.com/kubernetes/kubernetes/issues/85233
Is CVE-2019-11255 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2019-11255 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2019-11255?
CVE-2019-11255 affects Kubernetes kubernetes-csi external-provisioner, Kubernetes kubernetes-csi external-snapshotter, Kubernetes kubernetes-csi external-resizer.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.