CVE-2019-11245

In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.

Published: Aug 29, 2019
Updated: May 4, 2025
CVE: CVE-2019-11245
GHSA: GHSA-r76g-g87f-vw8f
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.8
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Low
Score: 4.6
AV:L/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-266
CWE-703
CWE-264

Affected Software
References

Software	From	Fixed in
kubernetes / kubernetes	1.13.6	1.13.6.x
kubernetes / kubernetes	1.14.2	1.14.2.x
k8s.io/kubernetes/cmd/kubelet	1.14.0	1.14.3
k8s.io/kubernetes/cmd/kubelet	1.13.0	1.13.7

https://bugzilla.redhat.com/show_bug.cgi?id=1715726
https://github.com/kubernetes/kubernetes/issues/78308
https://github.com/kubernetes/kubernetes/pull/76665
https://github.com/kubernetes/kubernetes/pull/76665/commits/26e3c8674e66f0d10170d34f5445f0aed207387f
https://pkg.go.dev/vuln/GO-2024-2780
https://security.netapp.com/advisory/ntap-20190919-0003
https://security.netapp.com/advisory/ntap-20190919-0003/

Vulnerability Database

289,599

CVE-2019-11245