CVSS Rating: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (Medium)
The Kubernetes API server has been found to be vulnerable to a denial of service attack via authorized API requests.
If an attacker that can make an authorized resource request to an unpatched API server (see below), then you are vulnerable to this. Prior to v1.14, this was possible via unauthenticated requests by default.
Prior to upgrading, this vulnerability can be mitigated by:
To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
This vulnerability was reported by: Gus Lees (Amazon)
/area security
/kind bug
/committee product-security
/sig api-machinery
Is it possible to include a link to the PR/commit that fixed this?
This was fixed by https://github.com/kubernetes/kubernetes/pull/87669
Most helpful comment
Is it possible to include a link to the PR/commit that fixed this?