{"id":"GHSA-q4rr-64r9-fwgf","summary":"Kubernetes DoS Vulnerability","details":"In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type \"json-patch\" (e.g. `kubectl patch --type json` or `\"Content-Type: application/json-patch+json\"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server.","aliases":["CVE-2019-1002100","GO-2023-1946"],"modified":"2026-02-04T04:29:35.108631Z","published":"2022-05-13T01:21:42Z","related":["CGA-67cm-8hw2-8w3r"],"database_specific":{"cwe_ids":["CWE-770"],"github_reviewed_at":"2023-07-19T18:22:43Z","severity":"MODERATE","github_reviewed":true,"nvd_published_at":"2019-04-01T14:29:00Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-1002100"},{"type":"WEB","url":"https://github.com/kubernetes/kubernetes/issues/74534"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:1851"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:3239"},{"type":"PACKAGE","url":"https://github.com/kubernetes/kubernetes"},{"type":"WEB","url":"https://groups.google.com/forum/#!topic/kubernetes-announce/vmUUNkYfG9g"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20190416-0002"},{"type":"WEB","url":"https://web.archive.org/web/20210125011246/https://www.securityfocus.com/bid/107290"}],"affected":[{"package":{"name":"k8s.io/kubernetes","ecosystem":"Go","purl":"pkg:golang/k8s.io/kubernetes"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.0.0"},{"last_affected":"1.10.14"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q4rr-64r9-fwgf/GHSA-q4rr-64r9-fwgf.json"}},{"package":{"name":"k8s.io/kubernetes","ecosystem":"Go","purl":"pkg:golang/k8s.io/kubernetes"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.11.0"},{"fixed":"1.11.8"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q4rr-64r9-fwgf/GHSA-q4rr-64r9-fwgf.json","last_known_affected_version_range":"\u003c= 1.11.7"}},{"package":{"name":"k8s.io/kubernetes","ecosystem":"Go","purl":"pkg:golang/k8s.io/kubernetes"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.12.0"},{"fixed":"1.12.6"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q4rr-64r9-fwgf/GHSA-q4rr-64r9-fwgf.json","last_known_affected_version_range":"\u003c= 1.12.5"}},{"package":{"name":"k8s.io/kubernetes","ecosystem":"Go","purl":"pkg:golang/k8s.io/kubernetes"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.13.0"},{"fixed":"1.13.4"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q4rr-64r9-fwgf/GHSA-q4rr-64r9-fwgf.json","last_known_affected_version_range":"\u003c= 1.13.3"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}