DEBIAN-CVE-2019-11247

DEBIAN-CVE-2019-11247 PUBLISHED CVSS 8.100000381469727 HIGH

The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.

Risk Scores

CVSS 3.1

8.100000381469727

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected Products

Vendor	Product	Versions
Debian:11	kubernetes	0, 0, 0
Debian:12	kubernetes	0, 0, 0
Debian:14	kubernetes	0, 0, 0
Debian:13	kubernetes	0, 0, 0

Exploit Intelligence

CVE.json (github-poc)

Timeline

Aug 29, 2019 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2019-11247 advisory

Open in Interactive Console →