CVE-2019-11243

moderate-risk

Published 2019-04-22

In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()

Do I need to act?

0.24% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.1/10 High

NETWORK / HIGH complexity

Affected Products (3)

Kubernetes

Trident

Affected Vendors

Netapp Kubernetes

References (6)

Third Party Advisory http://www.securityfocus.com/bid/108053

Third Party Advisory https://github.com/kubernetes/kubernetes/issues/76797

Third Party Advisory https://security.netapp.com/advisory/ntap-20190509-0002/

Third Party Advisory http://www.securityfocus.com/bid/108053

Third Party Advisory https://github.com/kubernetes/kubernetes/issues/76797

Third Party Advisory https://security.netapp.com/advisory/ntap-20190509-0002/

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 1/34 · Minimal

Exposure 9/34 · Low