CVE-2019-11245

low-risk

Published 2019-08-29

In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.

Do I need to act?

0.15% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.9/10 Medium

LOCAL / HIGH complexity

Affected Products (2)

Kubernetes

Affected Vendors

Kubernetes

References (4)

Exploit https://github.com/kubernetes/kubernetes/issues/78308

https://security.netapp.com/advisory/ntap-20190919-0003/

Exploit https://github.com/kubernetes/kubernetes/issues/78308

https://security.netapp.com/advisory/ntap-20190919-0003/

/ 100

low-risk

Severity 13/34 · Low

Exploitability 1/34 · Minimal

Exposure 7/34 · Low