CVE-2019-1002100: json-patch requests can exhaust apiserver resources #74534
Labels
area/security
kind/bug
Categorizes issue or PR as related to a bug.
official-cve-feed
Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
sig/api-machinery
Categorizes an issue or PR as relevant to SIG API Machinery.
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (6.5, medium)
Users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type “json-patch” (e.g.
kubectl patch --type jsonor"Content-Type: application/json-patch+json") that consumes excessive resources while processing, causing a Denial of Service on the API Server.Thanks to Carl Henrik Lunde for reporting this problem.
CVE-2019-1002100 is fixed in the following Kubernetes releases:
Affected components:
Affected versions:
Mitigations:
Note: If you are using binaries or packages provided by a distributor (not the ones provided in the open source release artifacts), you should contact them to determine what versions resolve this CVE. Distributors may choose to provide support for older releases beyond the ones maintained by the open source project.
Post-mortem:
The text was updated successfully, but these errors were encountered: