Moderate severityNVD Advisory· Published Apr 1, 2020· Updated Sep 16, 2024
Kubernetes API Server denial of service vulnerability from malicious YAML payloads
CVE-2019-11254
Description
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gopkg.in/yaml.v2Go | < 2.2.8 | 2.2.8 |
github.com/go-yaml/yamlGo | <= 2.1.0 | — |
Affected products
13- osv-coords12 versionspkg:apk/chainguard/dex-k8s-authenticatorpkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:golang/github.com/go-yaml/yamlpkg:golang/gopkg.in/yaml.v2pkg:rpm/opensuse/etcd&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/etcd&distro=openSUSE%20Tumbleweedpkg:rpm/suse/etcd&distro=SUSE%20Package%20Hub%2015%20SP6
< 1.4.0-r36+ 11 more
- (no CPE)range: < 1.4.0-r36
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: <= 2.1.0
- (no CPE)range: < 2.2.8
- (no CPE)range: < 3.5.12-bp156.4.3.1
- (no CPE)range: < 3.5.2-1.1
- (no CPE)range: < 3.5.12-bp156.4.3.1
- Range: prior to 1.15.10
Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-wxc4-f4m6-wwqvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-11254ghsaADVISORY
- bugs.chromium.org/p/oss-fuzz/issues/detailghsaWEB
- github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48ghsaWEB
- github.com/go-yaml/yaml/pull/555ghsaWEB
- github.com/kubernetes/kubernetes/issues/89535ghsax_refsource_MISCWEB
- github.com/kubernetes/kubernetes/pull/87467/commits/b86df2bec4f377afc0ca03482ffad2f0a49a83b8ghsaWEB
- groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJghsax_refsource_MISCWEB
- pkg.go.dev/vuln/GO-2020-0036ghsaWEB
- security.netapp.com/advisory/ntap-20200413-0003ghsaWEB
- security.netapp.com/advisory/ntap-20200413-0003/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.