VDB
CVE-2019-9946
CVE-2019-9946
REJECTED
Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.
EPSS 0.36% · 58.4th percentile
Risk Scores
EPSS Score
0.36%
58.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:22.04:LTS | kubernetes | 0, 1.0 |
| Ubuntu:24.04:LTS | kubernetes | 0, 1.0 |
| Ubuntu:Pro:20.04:LTS | kubernetes | 0, 1.0 |
Timeline
- CVE Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Nov 7, 2021 PoC Published
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 27, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-9946 third-party-advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1692712 third-party-advisory
- https://github.com/containernetworking/plugins/pull/269#issuecomment-477683272 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-9946 third-party-advisory