Miggo Logo

CVE-2019-11244: Kubernetes Unsafe Cacheing

5

CVSS Score
3.1

Basic Information

EPSS Score
0.2905%
Published
2/15/2022
Updated
9/18/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
k8s.io/client-gogo>= 1.8.0, < 1.12.91.12.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key issues: 1) Cache directories created with 0755 permissions allowed world-write access, 2) Cache files created with 0666 permissions. The core vulnerable functions are those handling filesystem operations in the discovery/cached/disk package. Confidence is high because: 1) The GitHub commit f228ae3 explicitly shows permission changes from 0755->0750 and 0666->0660 in these functions 2) CVE description matches the patched file permissions 3) Added test cases in cached_discovery_test.go and round_tripper_test.go specifically validate permission fixes 4) Red Hat advisories reference these client-go components as vulnerable vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Ku**rn*t*s v*.*.x-v*.**.x, s***m* in*o is ****** *y ku***tl in t** lo**tion sp**i*i** *y `--*****-*ir` (****ultin* to `$*OM*/.ku**/*ttp-*****`), writt*n wit* worl*-writ***l* p*rmissions (`rw-rw-rw-`). I* `--*****-*ir` is sp**i*i** *n* point** *t *

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) ***** *ir**tori*s *r**t** wit* **** p*rmissions *llow** worl*-writ* ****ss, *) ***** *il*s *r**t** wit* **** p*rmissions. T** *or* vuln*r**l* *un*tions *r* t*os* **n*lin* *il*syst*m op*r*tions in t**