{"id":"CVE-2019-11254","details":"The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.","aliases":["GHSA-wxc4-f4m6-wwqv","GO-2020-0036"],"modified":"2026-04-10T04:14:09.651271Z","published":"2020-04-01T21:15:13.397Z","related":["CGA-273g-hhg6-g68m","openSUSE-SU-2024:11911-1","openSUSE-SU-2025:0003-1"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200413-0003/"},{"type":"ADVISORY","url":"https://github.com/kubernetes/kubernetes/issues/89535"},{"type":"ADVISORY","url":"https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kubernetes/kubernetes","events":[{"introduced":"0"},{"fixed":"1bea6c00a7055edef03f1d4bb58b773fa8917f11"},{"introduced":"2bd9643cee5b3b3a5ecbd3af49d09018f0773c77"},{"fixed":"be3d344ed06bff7a4fc60656200a93c74f31f9a4"},{"introduced":"70132b0f130acc0bed193d9ba59dd186f0e634cf"},{"fixed":"06ad960bfd03b39c8310aaf92d1e7c12ce618213"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.15.10"},{"introduced":"1.16.0"},{"fixed":"1.16.7"},{"introduced":"1.17.0"},{"fixed":"1.17.3"}]}}],"versions":["v0.13.1-dev","v0.17.0","v1.1.0-alpha.0","v1.1.0-alpha.1","v1.10.0-alpha.0","v1.10.0-alpha.1","v1.10.0-alpha.2","v1.10.0-alpha.3","v1.11.0-alpha.0","v1.11.0-alpha.1","v1.11.0-alpha.2","v1.12.0-alpha.0","v1.12.0-alpha.1","v1.13.0-alpha.0","v1.13.0-alpha.1","v1.13.0-alpha.2","v1.13.0-alpha.3","v1.14.0-alpha.0","v1.14.0-alpha.1","v1.14.0-alpha.2","v1.14.0-alpha.3","v1.15.0","v1.15.0-alpha.0","v1.15.0-alpha.1","v1.15.0-alpha.2","v1.15.0-alpha.3","v1.15.0-beta.0","v1.15.0-beta.1","v1.15.0-beta.2","v1.15.0-rc.1","v1.15.1","v1.15.1-beta.0","v1.15.10-beta.0","v1.15.2","v1.15.2-beta.0","v1.15.3","v1.15.3-beta.0","v1.15.4","v1.15.4-beta.0","v1.15.5","v1.15.5-beta.0","v1.15.6","v1.15.6-beta.0","v1.15.7","v1.15.7-beta.0","v1.15.8","v1.15.8-beta.0","v1.15.8-beta.1","v1.15.9","v1.15.9-beta.0","v1.16.0","v1.16.0-alpha.0","v1.16.1","v1.16.1-beta.0","v1.16.2","v1.16.2-beta.0","v1.16.3","v1.16.3-beta.0","v1.16.4","v1.16.4-beta.0","v1.16.5","v1.16.5-beta.0","v1.16.5-beta.1","v1.16.6","v1.16.6-beta.0","v1.16.7-beta.0","v1.17.0","v1.17.1","v1.17.1-beta.0","v1.17.2","v1.17.2-beta.0","v1.17.3-beta.0","v1.2.0-alpha.1","v1.2.0-alpha.2","v1.2.0-alpha.3","v1.2.0-alpha.4","v1.2.0-alpha.5","v1.2.0-alpha.6","v1.2.0-alpha.7","v1.2.0-alpha.8","v1.3.0-alpha.0","v1.3.0-alpha.1","v1.3.0-alpha.2","v1.3.0-alpha.3","v1.3.0-alpha.4","v1.3.0-alpha.5","v1.4.0-alpha.1","v1.4.0-alpha.2","v1.4.0-alpha.3","v1.5.0-alpha.0","v1.5.0-alpha.1","v1.5.0-alpha.2","v1.6.0-alpha.0","v1.6.0-alpha.1","v1.6.0-alpha.2","v1.6.0-alpha.3","v1.7.0-alpha.0","v1.7.0-alpha.1","v1.7.0-alpha.2","v1.7.0-alpha.3","v1.7.0-alpha.4","v1.8.0-alpha.0","v1.8.0-alpha.1","v1.8.0-alpha.2","v1.8.0-alpha.3","v1.9.0-alpha.0","v1.9.0-alpha.1","v1.9.0-alpha.2","v1.9.0-alpha.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11254.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}