CVE-2019-11248
critical-risk
Published 2019-08-29
The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.
Do I need to act?
!
91.0% chance of exploitation in next 30 days
EPSS score — higher than 9% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.2/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Affected Vendors
References (6)
Third Party Advisory
https://security.netapp.com/advisory/ntap-20190919-0003/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20190919-0003/
74
/ 100
critical-risk
Severity
28/34 · Critical
Exploitability
20/34 · Moderate
Exposure
26/34 · High