8.1
CVE-2019-11243
- EPSS 0.25%
- Veröffentlicht 22.04.2019 15:29:00
- Zuletzt bearbeitet 21.11.2024 04:20:47
- Quelle jordan@liggitt.net
- Teams Watchlist Login
- Unerledigt Login
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Kubernetes ≫ Kubernetes Version >= 1.12.0 <= 1.12.4
Kubernetes ≫ Kubernetes Version1.13.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.25% | 0.485 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:P/I:N/A:N
|
| jordan@liggitt.net | 3.1 | 1.6 | 1.4 |
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
|
CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
CWE-271 Privilege Dropping / Lowering Errors
The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.