CVE-2019-1002100
MEDIUM6.5EPSS 2.7%Kubernetes DoS Vulnerability in k8s.io/kubernetes
Published: 5/13/2022Modified: 4/28/2026
Also known as:DEBIAN-CVE-2019-1002100
Description
In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server.
Affected packages (3)
- Debian/kubernetesfrom 0, < 1.17.4-1
- Go/k8s.io/kubernetes>= 1.0.0, <= 1.10.14
- Go/k8s.io/kubernetes>= 1.0.0, < 1.11.8, >= 1.12.0, < 1.12.6, >= 1.13.0, < 1.13.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
References (10)
- ADVISORYhttps://github.com/advisories/GHSA-q4rr-64r9-fwgf
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-1002100
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-1002100
- PATCHhttps://github.com/kubernetes/kubernetes
- WEBhttps://access.redhat.com/errata/RHSA-2019:1851
- WEBhttps://access.redhat.com/errata/RHSA-2019:3239
- WEBhttps://github.com/kubernetes/kubernetes/issues/74534
- WEBhttps://groups.google.com/forum/#!topic/kubernetes-announce/vmUUNkYfG9g
- WEBhttps://security.netapp.com/advisory/ntap-20190416-0002
- WEBhttps://web.archive.org/web/20210125011246/https://www.securityfocus.com/bid/107290