CVE-2019-1002100

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. kubectl patch --type json or "Content-Type: application/json-patch+json") that consumes excessive resources while processing, causing a Denial of Service on the API Server.

References

Affected packages

Git / github.com/kubernetes/kubelet

Affected ranges

Type: GIT
Repo: https://github.com/kubernetes/kubelet
Events: Introduced

36ea738c771d6b8a50df632f092f5805818476c3

Fixed

b2baec5a487a3ad344d60bd012d1c9464f517011

Introduced

b2c7df37e34be8581976ae5b6289401530620ff9

Fixed

d16f820ebc930432e3e0f4ea43681713ee948cc5

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-1002100.json"

Git / github.com/kubernetes/kubernetes

Affected ranges

Type: GIT
Repo: https://github.com/kubernetes/kubernetes
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4e209c9383fa00631d124c8adcc011d617339b3c

Introduced

0ed33881dc4355495f623c6f22e7dd0b7632b7c0

Fixed

ab91afd7062d4240e95e51ac00a18bd58fddd365

Introduced

ddf47ac13c1a9483ea035a79cd7c10005ff21a6d

Fixed

c27b913fddd1a6c480c229191a087698aa92f0b1

Affected versions

v1.*

v1.12.0

v1.12.1

v1.12.1-beta.0

v1.12.2

v1.12.2-beta.0

v1.12.3

v1.12.3-beta.0

v1.12.4

v1.12.4-beta.0

v1.12.5

v1.12.5-beta.0

v1.12.6-beta.0

v1.13.0

v1.13.1

v1.13.1-beta.0

v1.13.2

v1.13.2-beta.0

v1.13.3

v1.13.3-beta.0

v1.13.4-beta.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-1002100.json"