CVE-2019-11255
Description
Improper input validation in Kubernetes CSI sidecar containers for external-provisioner (<v0.4.3, <v1.0.2, v1.1, <v1.2.2, <v1.3.1), external-snapshotter (<v0.4.2, <v1.0.2, v1.1, <1.2.2), and external-resizer (v0.1, v0.2) could result in unauthorized PersistentVolume data access or volume mutation during snapshot, restore from snapshot, cloning and resizing operations.
CWE
- CWE-20 — CWE-20 Improper Input Validation
Affected
- Kubernetes / kubernetes-csi external-provisioner — v=prior to 1.0.2 [affected]; v=1.1 [affected]; v=prior to 1.2.2 [affected]; v=prior to 1.3.1 [affected]; v=v1.14 <prior to 0.4.3 [affected]
- Kubernetes / kubernetes-csi external-snapshotter — v=prior to 0.4.2 [affected]; v=prior to 1.0.2 [affected]; v=1.1 [affected]; v=prior to 1.2.2 [affected]
- Kubernetes / kubernetes-csi external-resizer — v=0.1 [affected]; v=0.2 [affected]
CVSS
- 3.1 score=4.8 severity=MEDIUM
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N
References
- https://github.com/kubernetes/kubernetes/issues/85233 x_refsource_CONFIRM
- https://groups.google.com/forum/#%21topic/kubernetes-security-announce/aXiYN0q4uIw mailing-list, x_refsource_MLIST
- https://access.redhat.com/errata/RHSA-2019:4099 vendor-advisory, x_refsource_REDHAT
- https://access.redhat.com/errata/RHSA-2019:4096 vendor-advisory, x_refsource_REDHAT
- https://access.redhat.com/errata/RHSA-2019:4054 vendor-advisory, x_refsource_REDHAT
- https://access.redhat.com/errata/RHSA-2019:4225 vendor-advisory, x_refsource_REDHAT
- https://security.netapp.com/advisory/ntap-20200810-0003/ x_refsource_CONFIRM
Source
cvelistV5-main/cves/2019/11xxx/CVE-2019-11255.json