Moderate severityNVD Advisory· Published Dec 5, 2019· Updated Sep 16, 2024
Kubernetes CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation
CVE-2019-11255
Description
Improper input validation in Kubernetes CSI sidecar containers for external-provisioner (<v0.4.3, <v1.0.2, v1.1, <v1.2.2, <v1.3.1), external-snapshotter (<v0.4.2, <v1.0.2, v1.1, <1.2.2), and external-resizer (v0.1, v0.2) could result in unauthorized PersistentVolume data access or volume mutation during snapshot, restore from snapshot, cloning and resizing operations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/kubernetes-csi/external-provisionerGo | < 0.4.3 | 0.4.3 |
github.com/kubernetes-csi/external-provisionerGo | >= 1.0.0, < 1.0.2 | 1.0.2 |
github.com/kubernetes-csi/external-provisionerGo | >= 1.2.0, < 1.2.2 | 1.2.2 |
github.com/kubernetes-csi/external-provisionerGo | >= 1.3.0, < 1.3.1 | 1.3.1 |
github.com/kubernetes-csi/external-snapshotter/v6Go | >= 1.0.0, < 1.0.2 | 1.0.2 |
github.com/kubernetes-csi/external-snapshotter/v6Go | >= 1.2.0, < 1.2.2 | 1.2.2 |
Affected products
162- osv-coords159 versionspkg:apk/chainguard/aws-ebs-csi-driverpkg:apk/chainguard/aws-ebs-csi-driver-1.18pkg:apk/chainguard/aws-ebs-csi-driver-1.19pkg:apk/chainguard/aws-efs-csi-driverpkg:apk/chainguard/calicopkg:apk/chainguard/calico-apiserverpkg:apk/chainguard/calico-app-policypkg:apk/chainguard/calico-cnipkg:apk/chainguard/calico-cni-compatpkg:apk/chainguard/calicoctlpkg:apk/chainguard/calico-felixpkg:apk/chainguard/calico-key-cert-provisionerpkg:apk/chainguard/calico-kube-controllerspkg:apk/chainguard/calico-nodepkg:apk/chainguard/calico-pod2daemonpkg:apk/chainguard/calico-pod2daemon-flexvol-compatpkg:apk/chainguard/calico-typha-clientpkg:apk/chainguard/calico-typhadpkg:apk/chainguard/crictlpkg:apk/chainguard/critestpkg:apk/chainguard/cri-toolspkg:apk/chainguard/eks-distro-kubernetes-csi-external-provisioner-3.6pkg:apk/chainguard/eks-distro-kubernetes-csi-external-provisioner-4.0pkg:apk/chainguard/kubeadm-1.26pkg:apk/chainguard/kubeadm-1.26-defaultpkg:apk/chainguard/kubeadm-1.27pkg:apk/chainguard/kubeadm-1.27-defaultpkg:apk/chainguard/kubeadm-1.28pkg:apk/chainguard/kubeadm-1.28-defaultpkg:apk/chainguard/kube-apiserver-1.26pkg:apk/chainguard/kube-apiserver-1.26-defaultpkg:apk/chainguard/kube-apiserver-1.27pkg:apk/chainguard/kube-apiserver-1.27-defaultpkg:apk/chainguard/kube-apiserver-1.28pkg:apk/chainguard/kube-apiserver-1.28-defaultpkg:apk/chainguard/kube-controller-manager-1.26pkg:apk/chainguard/kube-controller-manager-1.26-defaultpkg:apk/chainguard/kube-controller-manager-1.27pkg:apk/chainguard/kube-controller-manager-1.27-defaultpkg:apk/chainguard/kube-controller-manager-1.28pkg:apk/chainguard/kube-controller-manager-1.28-defaultpkg:apk/chainguard/kubectl-1.26pkg:apk/chainguard/kubectl-1.26-defaultpkg:apk/chainguard/kubectl-1.27pkg:apk/chainguard/kubectl-1.27-defaultpkg:apk/chainguard/kubectl-1.28pkg:apk/chainguard/kubectl-1.28-bitnami-compatpkg:apk/chainguard/kubectl-1.28-defaultpkg:apk/chainguard/kubectl-bash-completion-1.26pkg:apk/chainguard/kubectl-bash-completion-1.27pkg:apk/chainguard/kubectl-bash-completion-1.28pkg:apk/chainguard/kubelet-1.26pkg:apk/chainguard/kubelet-1.26-defaultpkg:apk/chainguard/kubelet-1.27pkg:apk/chainguard/kubelet-1.27-defaultpkg:apk/chainguard/kubelet-1.28pkg:apk/chainguard/kubelet-1.28-defaultpkg:apk/chainguard/kube-proxy-1.26pkg:apk/chainguard/kube-proxy-1.26-defaultpkg:apk/chainguard/kube-proxy-1.27pkg:apk/chainguard/kube-proxy-1.27-defaultpkg:apk/chainguard/kube-proxy-1.28pkg:apk/chainguard/kube-proxy-1.28-defaultpkg:apk/chainguard/kube-proxy-1.28-default-compatpkg:apk/chainguard/kubernetes-1.26pkg:apk/chainguard/kubernetes-1.26-defaultpkg:apk/chainguard/kubernetes-1.27pkg:apk/chainguard/kubernetes-1.27-defaultpkg:apk/chainguard/kubernetes-1.28pkg:apk/chainguard/kubernetes-1.28-defaultpkg:apk/chainguard/kubernetes-csi-external-provisionerpkg:apk/chainguard/kubernetes-dns-node-cachepkg:apk/chainguard/kubernetes-pause-1.28pkg:apk/chainguard/kubernetes-pause-3.9pkg:apk/chainguard/kubernetes-pause-compat-1.28pkg:apk/chainguard/kube-scheduler-1.26pkg:apk/chainguard/kube-scheduler-1.26-defaultpkg:apk/chainguard/kube-scheduler-1.27pkg:apk/chainguard/kube-scheduler-1.27-defaultpkg:apk/chainguard/kube-scheduler-1.28pkg:apk/chainguard/kube-scheduler-1.28-defaultpkg:apk/chainguard/nodetaintpkg:apk/wolfi/aws-ebs-csi-driverpkg:apk/wolfi/aws-efs-csi-driverpkg:apk/wolfi/calicopkg:apk/wolfi/calico-apiserverpkg:apk/wolfi/calico-app-policypkg:apk/wolfi/calico-cnipkg:apk/wolfi/calico-cni-compatpkg:apk/wolfi/calicoctlpkg:apk/wolfi/calico-felixpkg:apk/wolfi/calico-key-cert-provisionerpkg:apk/wolfi/calico-kube-controllerspkg:apk/wolfi/calico-nodepkg:apk/wolfi/calico-pod2daemonpkg:apk/wolfi/calico-pod2daemon-flexvol-compatpkg:apk/wolfi/calico-typha-clientpkg:apk/wolfi/calico-typhadpkg:apk/wolfi/crictlpkg:apk/wolfi/critestpkg:apk/wolfi/cri-toolspkg:apk/wolfi/kubeadm-1.26pkg:apk/wolfi/kubeadm-1.26-defaultpkg:apk/wolfi/kubeadm-1.27pkg:apk/wolfi/kubeadm-1.27-defaultpkg:apk/wolfi/kubeadm-1.28pkg:apk/wolfi/kubeadm-1.28-defaultpkg:apk/wolfi/kube-apiserver-1.26pkg:apk/wolfi/kube-apiserver-1.26-defaultpkg:apk/wolfi/kube-apiserver-1.27pkg:apk/wolfi/kube-apiserver-1.27-defaultpkg:apk/wolfi/kube-apiserver-1.28pkg:apk/wolfi/kube-apiserver-1.28-defaultpkg:apk/wolfi/kube-controller-manager-1.26pkg:apk/wolfi/kube-controller-manager-1.26-defaultpkg:apk/wolfi/kube-controller-manager-1.27pkg:apk/wolfi/kube-controller-manager-1.27-defaultpkg:apk/wolfi/kube-controller-manager-1.28pkg:apk/wolfi/kube-controller-manager-1.28-defaultpkg:apk/wolfi/kubectl-1.26pkg:apk/wolfi/kubectl-1.26-defaultpkg:apk/wolfi/kubectl-1.27pkg:apk/wolfi/kubectl-1.27-defaultpkg:apk/wolfi/kubectl-1.28pkg:apk/wolfi/kubectl-1.28-defaultpkg:apk/wolfi/kubectl-bash-completion-1.26pkg:apk/wolfi/kubectl-bash-completion-1.27pkg:apk/wolfi/kubectl-bash-completion-1.28pkg:apk/wolfi/kubelet-1.26pkg:apk/wolfi/kubelet-1.26-defaultpkg:apk/wolfi/kubelet-1.27pkg:apk/wolfi/kubelet-1.27-defaultpkg:apk/wolfi/kubelet-1.28pkg:apk/wolfi/kubelet-1.28-defaultpkg:apk/wolfi/kube-proxy-1.26pkg:apk/wolfi/kube-proxy-1.26-defaultpkg:apk/wolfi/kube-proxy-1.27pkg:apk/wolfi/kube-proxy-1.27-defaultpkg:apk/wolfi/kube-proxy-1.28pkg:apk/wolfi/kube-proxy-1.28-defaultpkg:apk/wolfi/kubernetes-1.26pkg:apk/wolfi/kubernetes-1.26-defaultpkg:apk/wolfi/kubernetes-1.27pkg:apk/wolfi/kubernetes-1.27-defaultpkg:apk/wolfi/kubernetes-1.28pkg:apk/wolfi/kubernetes-1.28-defaultpkg:apk/wolfi/kubernetes-csi-external-provisionerpkg:apk/wolfi/kubernetes-dns-node-cachepkg:apk/wolfi/kubernetes-pause-3.9pkg:apk/wolfi/kube-scheduler-1.26pkg:apk/wolfi/kube-scheduler-1.26-defaultpkg:apk/wolfi/kube-scheduler-1.27pkg:apk/wolfi/kube-scheduler-1.27-defaultpkg:apk/wolfi/kube-scheduler-1.28pkg:apk/wolfi/kube-scheduler-1.28-defaultpkg:apk/wolfi/nodetaintpkg:golang/github.com/kubernetes-csi/external-provisionerpkg:golang/github.com/kubernetes-csi/external-resizerpkg:golang/github.com/kubernetes-csi/external-snapshotter/v6
< 0+ 158 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 4.0.0-r4
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.4.3
- (no CPE)
- (no CPE)range: >= 1.0.0, < 1.0.2
- Kubernetes/kubernetes-csi external-provisionerv5Range: prior to 1.0.2
- Kubernetes/kubernetes-csi external-resizerv5Range: 0.1
- Kubernetes/kubernetes-csi external-snapshotterv5Range: prior to 0.4.2
Patches
Vulnerability mechanics
References
11- access.redhat.com/errata/RHSA-2019:4054ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4096ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4099ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4225ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-f4w6-3rh6-6q4qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-11255ghsaADVISORY
- github.com/kubernetes/kubernetes/issues/85233ghsax_refsource_CONFIRMWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/mitremailing-listx_refsource_MLIST
- security.netapp.com/advisory/ntap-20200810-0003ghsaWEB
- security.netapp.com/advisory/ntap-20200810-0003/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.