What is CVE-2019-11254?

CVE-2019-11254 is a medium-severity vulnerability in Kubernetes, classified under CWE-1050. CVSS score: 6.5/10. Published 2020-04-01.

How severe is CVE-2019-11254?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Is CVE-2019-11254 known to be exploited?

4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Kubernetes

CVE-2019-11254

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsin…

EPSS: 0.001 (30.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Affected products

Kubernetes — versions prior to 1.15.10, prior to 1.16.7, prior to 1.17.3

Weakness classification (CWE)

CWE-1050

Public proof-of-concept exploits

References

github.com/kubernetes/kubernetes/issues/89535 (x_refsource_MISC)
groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ (x_refsource_MISC)
security.netapp.com/advisory/ntap-20200413-0003/ (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2019-11254?: CVE-2019-11254 is a medium-severity vulnerability in Kubernetes, classified under CWE-1050. CVSS score: 6.5/10. Published 2020-04-01.
How severe is CVE-2019-11254?: Medium severity. CVSS v3 base score is 6.5 out of 10.
Is CVE-2019-11254 known to be exploited?: 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.