CVE-2019-11247 (High) detected in github.com/coreos/prometheus-operator-v0.26.0

[mend-bolt-for-github]

CVE-2019-11247 - High Severity Vulnerability

Vulnerable Library - github.com/coreos/prometheus-operator-v0.26.0

Prometheus Operator creates/configures/manages Prometheus clusters atop Kubernetes

Dependency Hierarchy:

• github.com/operator-framework/operator-sdk-e3225a40338e66e694de23d523e271db43ff0520 (Root Library)
  • ❌ github.com/coreos/prometheus-operator-v0.26.0 (Vulnerable Library)

Found in HEAD commit: 529bd4477562304d2b7ce7774b0f2acd4b189154

Found in base branch: master

Vulnerability Details

The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.

Publish Date: 2019-08-29

URL: CVE-2019-11247

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11247

Release Date: 2020-10-02

Fix Resolution: v1.16.0-alpha.3

---

Step up your Open Source Security Game with Mend here