1. Home
  2. Vulnerabilities
  3. CVE-2019-9946

CVE-2019-9946

CVSS v3.0 7.5 (High)
75% Progress
CVSS v2.0 5 (Medium)
50% Progress
EPSS 0.23 % (62th)
0.23% Progress
Affected Products 3
Advisories 7
Info CVSS EPSS Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.

Weaknesses
CWE-670
Always-Incorrect Control Flow Implementation
CVE Status
PUBLISHED
CNA
MITRE
Published Date
2019-04-02 18:30:26
(5 years ago)
Updated Date
2023-11-07 03:13:49
(10 months ago)

Affected Products

Cncf

Kubernetes

Netapp

Configuration #1

    CPE23 From Up To
  Cncf Portmap for Container Networking Interface prior 0.7.5 version cpe:2.3:a:cncf:portmap::*:*:*:*:container_networking_interface < 0.7.5
  Kubernetes prior 1.11.9 version cpe:2.3:a:kubernetes:kubernetes < 1.11.9
  Kubernetes from 1.12.0 version and prior 1.12.7 version cpe:2.3:a:kubernetes:kubernetes >= 1.12.0 < 1.12.7
  Kubernetes from 1.13.0 version and prior 1.13.5 version cpe:2.3:a:kubernetes:kubernetes >= 1.13.0 < 1.13.5
  Kubernetes 1.13.6 Beta0 cpe:2.3:a:kubernetes:kubernetes:1.13.6:beta0
  Kubernetes 1.14.0 Alpha0 cpe:2.3:a:kubernetes:kubernetes:1.14.0:alpha0
  Kubernetes 1.14.0 Alpha1 cpe:2.3:a:kubernetes:kubernetes:1.14.0:alpha1
  Kubernetes 1.14.0 Alpha2 cpe:2.3:a:kubernetes:kubernetes:1.14.0:alpha2
  Kubernetes 1.14.0 Alpha3 cpe:2.3:a:kubernetes:kubernetes:1.14.0:alpha3
  Kubernetes 1.14.0 Beta0 cpe:2.3:a:kubernetes:kubernetes:1.14.0:beta0
  Kubernetes 1.14.0 Beta1 cpe:2.3:a:kubernetes:kubernetes:1.14.0:beta1
  Kubernetes 1.14.0 Beta2 cpe:2.3:a:kubernetes:kubernetes:1.14.0:beta2
  Kubernetes 1.14.0 Rc1 cpe:2.3:a:kubernetes:kubernetes:1.14.0:rc1

Configuration #2

    CPE23 From Up To
  Netapp Cloud Insights cpe:2.3:a:netapp:cloud_insights:-