CVE-2019-11255

Improper input validation in Kubernetes CSI sidecar containers for external-provisioner (<v0.4.3, <v1.0.2, v1.1, <v1.2.2, <v1.3.1), external-snapshotter (<v0.4.2, <v1.0.2, v1.1, <1.2.2), and external-resizer (v0.1, v0.2) could result in unauthorized PersistentVolume data access or volume mutation during snapshot, restore from snapshot, cloning and resizing operations.

Published: Dec 5, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-11255
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5.5
AV:N/AC:L/Au:S/C:P/I:P/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
kubernetes / external-resizer	0.1.0	0.2.0.x
kubernetes / external-snapshotter	0.4.0	0.4.1.x
kubernetes / external-snapshotter	1.0.0	1.0.1.x
kubernetes / external-snapshotter	1.1.0	1.2.1.x
kubernetes / external-provisioner	1.0.0	1.0.1.x
kubernetes / external-provisioner	0.4.1	0.4.2.x
kubernetes / external-provisioner	1.1.0	1.2.1.x
kubernetes / external-provisioner	1.3.0	1.3.0.x
redhat / openshift_container_platform	3.11	3.11.x
redhat / openshift_container_platform	4.1	4.1.x
redhat / openshift_container_platform	4.2	4.2.x

Vulnerability Database

289,784

CVE-2019-11255