Vulnerability-Lookup

CVE-2019-11254 (GCVE-0-2019-11254)

Vulnerability from cvelistv5 – Published: 2020-04-01 20:30 – Updated: 2024-09-16 23:16

Title

Kubernetes API Server denial of service vulnerability from malicious YAML payloads

Summary

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-1050 - Excessive Platform Resource Consumption within a Loop

Assigner

kubernetes

References

URL

Tags

	https://github.com/kubernetes/kubernetes/issues/89535	x_refsource_MISC
	https://groups.google.com/d/msg/kubernetes-announ…	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-2020041…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Kubernetes	Kubernetes	Affected: prior to 1.15.10 Affected: prior to 1.16.7 Affected: prior to 1.17.3 Affected: 1.1 Affected: 1.2 Affected: 1.3 Affected: 1.4 Affected: 1.5 Affected: 1.6 Affected: 1.7 Affected: 1.8 Affected: 1.9 Affected: 1.10 Affected: 1.11 Affected: 1.12 Affected: 1.13 Affected: 1.14

Credits

Mike Danese of Google

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:48:09.147Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/kubernetes/kubernetes/issues/89535"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200413-0003/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Kubernetes",
          "vendor": "Kubernetes",
          "versions": [
            {
              "status": "affected",
              "version": "prior to 1.15.10"
            },
            {
              "status": "affected",
              "version": "prior to 1.16.7"
            },
            {
              "status": "affected",
              "version": "prior to 1.17.3"
            },
            {
              "status": "affected",
              "version": "1.1"
            },
            {
              "status": "affected",
              "version": "1.2"
            },
            {
              "status": "affected",
              "version": "1.3"
            },
            {
              "status": "affected",
              "version": "1.4"
            },
            {
              "status": "affected",
              "version": "1.5"
            },
            {
              "status": "affected",
              "version": "1.6"
            },
            {
              "status": "affected",
              "version": "1.7"
            },
            {
              "status": "affected",
              "version": "1.8"
            },
            {
              "status": "affected",
              "version": "1.9"
            },
            {
              "status": "affected",
              "version": "1.10"
            },
            {
              "status": "affected",
              "version": "1.11"
            },
            {
              "status": "affected",
              "version": "1.12"
            },
            {
              "status": "affected",
              "version": "1.13"
            },
            {
              "status": "affected",
              "version": "1.14"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Mike Danese of Google"
        }
      ],
      "datePublic": "2020-03-31T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1050",
              "description": "CWE-1050: Excessive Platform Resource Consumption within a Loop",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-13T08:06:01.000Z",
        "orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
        "shortName": "kubernetes"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kubernetes/kubernetes/issues/89535"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20200413-0003/"
        }
      ],
      "source": {
        "defect": [
          "https://github.com/kubernetes/kubernetes/issues/89535"
        ],
        "discovery": "INTERNAL"
      },
      "title": "Kubernetes API Server denial of service vulnerability from malicious YAML payloads",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@kubernetes.io",
          "DATE_PUBLIC": "2020-03-31T23:07:00.000Z",
          "ID": "CVE-2019-11254",
          "STATE": "PUBLIC",
          "TITLE": "Kubernetes API Server denial of service vulnerability from malicious YAML payloads"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Kubernetes",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to 1.15.10"
                          },
                          {
                            "version_value": "prior to 1.16.7"
                          },
                          {
                            "version_value": "prior to 1.17.3"
                          },
                          {
                            "version_value": "1.1"
                          },
                          {
                            "version_value": "1.2"
                          },
                          {
                            "version_value": "1.3"
                          },
                          {
                            "version_value": "1.4"
                          },
                          {
                            "version_value": "1.5"
                          },
                          {
                            "version_value": "1.6"
                          },
                          {
                            "version_value": "1.7"
                          },
                          {
                            "version_value": "1.8"
                          },
                          {
                            "version_value": "1.9"
                          },
                          {
                            "version_value": "1.10"
                          },
                          {
                            "version_value": "1.11"
                          },
                          {
                            "version_value": "1.12"
                          },
                          {
                            "version_value": "1.13"
                          },
                          {
                            "version_value": "1.14"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Kubernetes"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Mike Danese of Google"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-1050: Excessive Platform Resource Consumption within a Loop"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/kubernetes/kubernetes/issues/89535",
              "refsource": "MISC",
              "url": "https://github.com/kubernetes/kubernetes/issues/89535"
            },
            {
              "name": "https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ",
              "refsource": "MISC",
              "url": "https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200413-0003/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20200413-0003/"
            }
          ]
        },
        "source": {
          "defect": [
            "https://github.com/kubernetes/kubernetes/issues/89535"
          ],
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
    "assignerShortName": "kubernetes",
    "cveId": "CVE-2019-11254",
    "datePublished": "2020-04-01T20:30:15.907Z",
    "dateReserved": "2019-04-17T00:00:00.000Z",
    "dateUpdated": "2024-09-16T23:16:55.380Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GSD-2019-11254

Vulnerability from gsd - Updated: 2023-12-13 01:24

Details

Aliases

CVE-2019-11254

Aliases

CVE-2019-11254

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-11254",
    "description": "The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.",
    "id": "GSD-2019-11254",
    "references": [
      "https://www.suse.com/security/cve/CVE-2019-11254.html",
      "https://access.redhat.com/errata/RHSA-2020:2479",
      "https://access.redhat.com/errata/RHSA-2020:2413",
      "https://access.redhat.com/errata/RHSA-2020:2412",
      "https://access.redhat.com/errata/RHSA-2020:0933",
      "https://linux.oracle.com/cve/CVE-2019-11254.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-11254"
      ],
      "details": "The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.",
      "id": "GSD-2019-11254",
      "modified": "2023-12-13T01:24:01.585706Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@kubernetes.io",
        "DATE_PUBLIC": "2020-03-31T23:07:00.000Z",
        "ID": "CVE-2019-11254",
        "STATE": "PUBLIC",
        "TITLE": "Kubernetes API Server denial of service vulnerability from malicious YAML payloads"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Kubernetes",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "prior to 1.15.10"
                        },
                        {
                          "version_value": "prior to 1.16.7"
                        },
                        {
                          "version_value": "prior to 1.17.3"
                        },
                        {
                          "version_value": "1.1"
                        },
                        {
                          "version_value": "1.2"
                        },
                        {
                          "version_value": "1.3"
                        },
                        {
                          "version_value": "1.4"
                        },
                        {
                          "version_value": "1.5"
                        },
                        {
                          "version_value": "1.6"
                        },
                        {
                          "version_value": "1.7"
                        },
                        {
                          "version_value": "1.8"
                        },
                        {
                          "version_value": "1.9"
                        },
                        {
                          "version_value": "1.10"
                        },
                        {
                          "version_value": "1.11"
                        },
                        {
                          "version_value": "1.12"
                        },
                        {
                          "version_value": "1.13"
                        },
                        {
                          "version_value": "1.14"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Kubernetes"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Mike Danese of Google"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-1050: Excessive Platform Resource Consumption within a Loop"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/kubernetes/kubernetes/issues/89535",
            "refsource": "MISC",
            "url": "https://github.com/kubernetes/kubernetes/issues/89535"
          },
          {
            "name": "https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ",
            "refsource": "MISC",
            "url": "https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20200413-0003/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20200413-0003/"
          }
        ]
      },
      "source": {
        "defect": [
          "https://github.com/kubernetes/kubernetes/issues/89535"
        ],
        "discovery": "INTERNAL"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.2.8",
          "affected_versions": "All versions before 2.2.8",
          "cvss_v2": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2021-12-20",
          "description": "Abusively constructed YAML payload can significantly reduce parsing performance potentially leading to DoS.",
          "fixed_versions": [
            "2.2.8"
          ],
          "identifier": "CVE-2019-11254",
          "identifiers": [
            "GHSA-wxc4-f4m6-wwqv",
            "CVE-2019-11254"
          ],
          "not_impacted": "All versions starting from 2.2.8",
          "package_slug": "go/gopkg.in/yaml.v2",
          "pubdate": "2021-12-20",
          "solution": "Upgrade to version 2.2.8 or above.",
          "title": "Excessive Platform Resource Consumption within a Loop in Kubernetes",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-11254",
            "https://github.com/kubernetes/kubernetes/issues/89535",
            "https://github.com/kubernetes/kubernetes/pull/87467/commits/b86df2bec4f377afc0ca03482ffad2f0a49a83b8",
            "https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48",
            "https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ",
            "https://security.netapp.com/advisory/ntap-20200413-0003/",
            "https://github.com/advisories/GHSA-wxc4-f4m6-wwqv"
          ],
          "uuid": "479bfa14-4b11-4314-ad05-696ac3b7b162"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.15.10",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.16.7",
                "versionStartIncluding": "1.16.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.17.3",
                "versionStartIncluding": "1.17.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@kubernetes.io",
          "ID": "CVE-2019-11254"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/kubernetes/kubernetes/issues/89535",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/kubernetes/kubernetes/issues/89535"
            },
            {
              "name": "https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200413-0003/",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20200413-0003/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2020-10-02T17:37Z",
      "publishedDate": "2020-04-01T21:15Z"
    }
  }
}

GHSA-WXC4-F4M6-WWQV

Vulnerability from github – Published: 2021-12-20 16:55 – Updated: 2023-02-09 17:45

Summary

Excessive Platform Resource Consumption within a Loop in Kubernetes

Details

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gopkg.in/yaml.v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-yaml/yaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-11254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1050"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-07T17:24:04Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.",
  "id": "GHSA-wxc4-f4m6-wwqv",
  "modified": "2023-02-09T17:45:10Z",
  "published": "2021-12-20T16:55:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11254"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/issues/89535"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-yaml/yaml/pull/555"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/pull/87467/commits/b86df2bec4f377afc0ca03482ffad2f0a49a83b8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2020-0036"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200413-0003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Excessive Platform Resource Consumption within a Loop in Kubernetes"
}

CNVD-2020-35519

Vulnerability from cnvd - Published: 2020-07-01

Title

Google Kubernetes API Server资源管理错误漏洞

Description

Google Kubernetes是美国谷歌（Google）公司的一套开源的Docker容器集群管理系统。该系统为容器化的应用提供资源调度、部署运行、服务发现和扩容缩容等功能。API server是其中的一个API（应用编程接口）服务器。 Google Kubernetes 1.15.10之前版本、1.16.7之前版本和1.17.3之前版本中的API Server组件存在资源管理错误漏洞。远程攻击者可借助特制请求利用该漏洞造成拒绝服务。

Severity

中

Patch Name

Google Kubernetes API Server资源管理错误漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/kubernetes/kubernetes/issues/89535

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-11254

Impacted products

Name
['Google Kubernetes <1.15.10', 'Google Kubernetes <1.16.7', 'Google Kubernetes <1.17.3']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-11254"
    }
  },
  "description": "Google Kubernetes\u662f\u7f8e\u56fd\u8c37\u6b4c\uff08Google\uff09\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684Docker\u5bb9\u5668\u96c6\u7fa4\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u4e3a\u5bb9\u5668\u5316\u7684\u5e94\u7528\u63d0\u4f9b\u8d44\u6e90\u8c03\u5ea6\u3001\u90e8\u7f72\u8fd0\u884c\u3001\u670d\u52a1\u53d1\u73b0\u548c\u6269\u5bb9\u7f29\u5bb9\u7b49\u529f\u80fd\u3002API server\u662f\u5176\u4e2d\u7684\u4e00\u4e2aAPI\uff08\u5e94\u7528\u7f16\u7a0b\u63a5\u53e3\uff09\u670d\u52a1\u5668\u3002\n\nGoogle Kubernetes 1.15.10\u4e4b\u524d\u7248\u672c\u30011.16.7\u4e4b\u524d\u7248\u672c\u548c1.17.3\u4e4b\u524d\u7248\u672c\u4e2d\u7684API Server\u7ec4\u4ef6\u5b58\u5728\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/kubernetes/kubernetes/issues/89535",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-35519",
  "openTime": "2020-07-01",
  "patchDescription": "Google Kubernetes\u662f\u7f8e\u56fd\u8c37\u6b4c\uff08Google\uff09\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684Docker\u5bb9\u5668\u96c6\u7fa4\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u4e3a\u5bb9\u5668\u5316\u7684\u5e94\u7528\u63d0\u4f9b\u8d44\u6e90\u8c03\u5ea6\u3001\u90e8\u7f72\u8fd0\u884c\u3001\u670d\u52a1\u53d1\u73b0\u548c\u6269\u5bb9\u7f29\u5bb9\u7b49\u529f\u80fd\u3002API server\u662f\u5176\u4e2d\u7684\u4e00\u4e2aAPI\uff08\u5e94\u7528\u7f16\u7a0b\u63a5\u53e3\uff09\u670d\u52a1\u5668\u3002\r\n\r\nGoogle Kubernetes 1.15.10\u4e4b\u524d\u7248\u672c\u30011.16.7\u4e4b\u524d\u7248\u672c\u548c1.17.3\u4e4b\u524d\u7248\u672c\u4e2d\u7684API Server\u7ec4\u4ef6\u5b58\u5728\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Google Kubernetes API Server\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Google Kubernetes \u003c1.15.10",
      "Google Kubernetes \u003c1.16.7",
      "Google Kubernetes \u003c1.17.3"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-11254",
  "serverity": "\u4e2d",
  "submitTime": "2020-04-02",
  "title": "Google Kubernetes API Server\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e"
}

FKIE_CVE-2019-11254

Vulnerability from fkie_nvd - Published: 2020-04-01 21:15 - Updated: 2024-11-21 04:20

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
jordan@liggitt.net	https://github.com/kubernetes/kubernetes/issues/89535	Third Party Advisory
jordan@liggitt.net	https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ	Third Party Advisory
jordan@liggitt.net	https://security.netapp.com/advisory/ntap-20200413-0003/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/kubernetes/kubernetes/issues/89535	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20200413-0003/	Third Party Advisory

Impacted products

Vendor	Product	Version
kubernetes	kubernetes	*
kubernetes	kubernetes	*
kubernetes	kubernetes	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "87849953-B423-4E3B-A977-A62A88B40037",
              "versionEndExcluding": "1.15.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3D26FF8F-C943-41DE-A97D-89E8C7AB6348",
              "versionEndExcluding": "1.16.7",
              "versionStartIncluding": "1.16.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "95F48D52-C95F-4BBE-87C3-476F8058A37E",
              "versionEndExcluding": "1.17.3",
              "versionStartIncluding": "1.17.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML."
    },
    {
      "lang": "es",
      "value": "El componente Kubernetes API Server en versiones 1.1-1.14 y versiones anteriores a 1.15.10, 1.16.7 y 1.17.3, permite a un usuario autorizado que env\u00eda cargas maliciosas de YAML causar que el kube-apiserver consuma ciclos de CPU excesivos mientras analiza YAML."
    }
  ],
  "id": "CVE-2019-11254",
  "lastModified": "2024-11-21T04:20:48.840",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "jordan@liggitt.net",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-04-01T21:15:13.397",
  "references": [
    {
      "source": "jordan@liggitt.net",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/kubernetes/kubernetes/issues/89535"
    },
    {
      "source": "jordan@liggitt.net",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ"
    },
    {
      "source": "jordan@liggitt.net",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20200413-0003/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/kubernetes/kubernetes/issues/89535"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20200413-0003/"
    }
  ],
  "sourceIdentifier": "jordan@liggitt.net",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1050"
        }
      ],
      "source": "jordan@liggitt.net",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CERTFR-2022-AVI-591

Vulnerability from certfr_avis - Published: 2022-06-30 - Updated: 2022-06-30

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
IBM	Spectrum	IBM Spectrum Protect Plus versions antérieures à 10.1.11
IBM	Spectrum	IBM Spectrum Protect Client versions antérieures à 8.1.1.15
IBM	N/A	IBM® Db2® et Db2 Warehouse® sur Cloud Pak for Data versions antérieures à 4.5.0
IBM	Db2	IBM® Db2® sur Openshift versions antérieures à 11.5.7.0-cn5

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6596399 du 29 juin 2022	None	vendor-advisory
Bulletin de sécurité IBM 6596971 du 29 juin 2022	None	vendor-advisory
Bulletin de sécurité IBM 6599703 du 29 juin 2022	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Spectrum Protect Plus versions ant\u00e9rieures \u00e0 10.1.11",
      "product": {
        "name": "Spectrum",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Spectrum Protect Client versions ant\u00e9rieures \u00e0 8.1.1.15",
      "product": {
        "name": "Spectrum",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM\u00ae Db2\u00ae et Db2 Warehouse\u00ae sur Cloud Pak for Data versions ant\u00e9rieures \u00e0 4.5.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM\u00ae Db2\u00ae sur Openshift versions ant\u00e9rieures \u00e0 11.5.7.0-cn5",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-29368",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-29368"
    },
    {
      "name": "CVE-2021-20322",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20322"
    },
    {
      "name": "CVE-2018-1099",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-1099"
    },
    {
      "name": "CVE-2021-4154",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-4154"
    },
    {
      "name": "CVE-2021-45485",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-45485"
    },
    {
      "name": "CVE-2022-27191",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-27191"
    },
    {
      "name": "CVE-2021-30465",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-30465"
    },
    {
      "name": "CVE-2019-11249",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11249"
    },
    {
      "name": "CVE-2020-8557",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8557"
    },
    {
      "name": "CVE-2020-7919",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7919"
    },
    {
      "name": "CVE-2019-11247",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11247"
    },
    {
      "name": "CVE-2020-28851",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28851"
    },
    {
      "name": "CVE-2021-42248",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42248"
    },
    {
      "name": "CVE-2018-1002105",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-1002105"
    },
    {
      "name": "CVE-2021-31525",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-31525"
    },
    {
      "name": "CVE-2020-15112",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15112"
    },
    {
      "name": "CVE-2021-4203",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-4203"
    },
    {
      "name": "CVE-2021-25736",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-25736"
    },
    {
      "name": "CVE-2020-27813",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-27813"
    },
    {
      "name": "CVE-2018-17848",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-17848"
    },
    {
      "name": "CVE-2019-16884",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-16884"
    },
    {
      "name": "CVE-2021-41864",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-41864"
    },
    {
      "name": "CVE-2020-36385",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-36385"
    },
    {
      "name": "CVE-2020-25704",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25704"
    },
    {
      "name": "CVE-2021-25735",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-25735"
    },
    {
      "name": "CVE-2017-18367",
      "url": "https://www.cve.org/CVERecord?id=CVE-2017-18367"
    },
    {
      "name": "CVE-2020-8564",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8564"
    },
    {
      "name": "CVE-2021-20206",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20206"
    },
    {
      "name": "CVE-2019-11246",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11246"
    },
    {
      "name": "CVE-2021-31916",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-31916"
    },
    {
      "name": "CVE-2020-8565",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8565"
    },
    {
      "name": "CVE-2021-27918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-27918"
    },
    {
      "name": "CVE-2021-3635",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3635"
    },
    {
      "name": "CVE-2021-3573",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3573"
    },
    {
      "name": "CVE-2018-1098",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-1098"
    },
    {
      "name": "CVE-2021-28971",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28971"
    },
    {
      "name": "CVE-2019-11254",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11254"
    },
    {
      "name": "CVE-2022-0286",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0286"
    },
    {
      "name": "CVE-2021-4002",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-4002"
    },
    {
      "name": "CVE-2021-4083",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-4083"
    },
    {
      "name": "CVE-2021-45486",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-45486"
    },
    {
      "name": "CVE-2020-8551",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8551"
    },
    {
      "name": "CVE-2017-1002101",
      "url": "https://www.cve.org/CVERecord?id=CVE-2017-1002101"
    },
    {
      "name": "CVE-2021-4157",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-4157"
    },
    {
      "name": "CVE-2020-15106",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15106"
    },
    {
      "name": "CVE-2021-43784",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43784"
    },
    {
      "name": "CVE-2021-20321",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20321"
    },
    {
      "name": "CVE-2018-17142",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-17142"
    },
    {
      "name": "CVE-2022-0185",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0185"
    },
    {
      "name": "CVE-2022-0847",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0847"
    },
    {
      "name": "CVE-2021-41190",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-41190"
    },
    {
      "name": "CVE-2021-44733",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44733"
    },
    {
      "name": "CVE-2020-8552",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8552"
    },
    {
      "name": "CVE-2021-20269",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20269"
    },
    {
      "name": "CVE-2020-8554",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8554"
    },
    {
      "name": "CVE-2019-11252",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11252"
    },
    {
      "name": "CVE-2021-3121",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3121"
    },
    {
      "name": "CVE-2019-11250",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11250"
    },
    {
      "name": "CVE-2022-22942",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-22942"
    },
    {
      "name": "CVE-2022-1011",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1011"
    },
    {
      "name": "CVE-2021-3669",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3669"
    },
    {
      "name": "CVE-2020-8559",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8559"
    },
    {
      "name": "CVE-2020-10752",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-10752"
    },
    {
      "name": "CVE-2021-28950",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28950"
    },
    {
      "name": "CVE-2021-29650",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29650"
    },
    {
      "name": "CVE-2020-36322",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-36322"
    },
    {
      "name": "CVE-2020-28852",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28852"
    },
    {
      "name": "CVE-2021-4155",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-4155"
    },
    {
      "name": "CVE-2020-15113",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15113"
    },
    {
      "name": "CVE-2020-29652",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-29652"
    },
    {
      "name": "CVE-2018-17847",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-17847"
    },
    {
      "name": "CVE-2022-0492",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0492"
    },
    {
      "name": "CVE-2020-26160",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-26160"
    },
    {
      "name": "CVE-2022-0778",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0778"
    },
    {
      "name": "CVE-2021-42836",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-42836"
    },
    {
      "name": "CVE-2020-8555",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8555"
    },
    {
      "name": "CVE-2021-44716",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44716"
    },
    {
      "name": "CVE-2018-17143",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-17143"
    },
    {
      "name": "CVE-2019-11841",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11841"
    },
    {
      "name": "CVE-2018-20699",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-20699"
    },
    {
      "name": "CVE-2021-33194",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33194"
    },
    {
      "name": "CVE-2020-14040",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-14040"
    },
    {
      "name": "CVE-2021-3764",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3764"
    },
    {
      "name": "CVE-2019-1002101",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-1002101"
    },
    {
      "name": "CVE-2021-38201",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-38201"
    },
    {
      "name": "CVE-2021-21781",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21781"
    },
    {
      "name": "CVE-2022-0850",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0850"
    },
    {
      "name": "CVE-2021-3538",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3538"
    },
    {
      "name": "CVE-2019-11253",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11253"
    },
    {
      "name": "CVE-2021-25737",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-25737"
    },
    {
      "name": "CVE-2018-17846",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-17846"
    },
    {
      "name": "CVE-2021-4028",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-4028"
    },
    {
      "name": "CVE-2021-43565",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43565"
    },
    {
      "name": "CVE-2021-25741",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-25741"
    },
    {
      "name": "CVE-2018-16886",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-16886"
    },
    {
      "name": "CVE-2021-44907",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44907"
    },
    {
      "name": "CVE-2021-4197",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-4197"
    },
    {
      "name": "CVE-2020-9283",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9283"
    },
    {
      "name": "CVE-2019-11840",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11840"
    },
    {
      "name": "CVE-2019-11251",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11251"
    },
    {
      "name": "CVE-2020-36067",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-36067"
    }
  ],
  "initial_release_date": "2022-06-30T00:00:00",
  "last_revision_date": "2022-06-30T00:00:00",
  "links": [],
  "reference": "CERTFR-2022-AVI-591",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-06-30T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    },
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire, un d\u00e9ni de service \u00e0 distance et un\ncontournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6596399 du 29 juin 2022",
      "url": "https://www.ibm.com/support/pages/node/6596399"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6596971 du 29 juin 2022",
      "url": "https://www.ibm.com/support/pages/node/6596971"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6599703 du 29 juin 2022",
      "url": "https://www.ibm.com/support/pages/node/6599703"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-11254 (GCVE-0-2019-11254)

GSD-2019-11254

GHSA-WXC4-F4M6-WWQV

CNVD-2020-35519

FKIE_CVE-2019-11254

CERTFR-2022-AVI-591

Solution

Tags

Sightings

Nomenclature