CVE-2019-11244: Kubernetes Unsafe Cacheing
5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.2905%
CWE
Published
2/15/2022
Updated
9/18/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
k8s.io/client-go | go | >= 1.8.0, < 1.12.9 | 1.12.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from two key issues: 1) Cache directories created with 0755 permissions allowed world-write access, 2) Cache files created with 0666 permissions. The core vulnerable functions are those handling filesystem operations in the discovery/cached/disk package. Confidence is high because: 1) The GitHub commit f228ae3 explicitly shows permission changes from 0755->0750 and 0666->0660 in these functions 2) CVE description matches the patched file permissions 3) Added test cases in cached_discovery_test.go and round_tripper_test.go specifically validate permission fixes 4) Red Hat advisories reference these client-go components as vulnerable vectors.