CVE-2019-9946

Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 57%
VendorProductVersion
cncfportmap
𝑥
< 0.7.5
kuberneteskubernetes
𝑥
< 1.11.9
kuberneteskubernetes
1.12.0 ≤
𝑥
< 1.12.7
kuberneteskubernetes
1.13.0 ≤
𝑥
< 1.13.5
kuberneteskubernetes
1.13.6:beta0
kuberneteskubernetes
1.14.0:alpha0
kuberneteskubernetes
1.14.0:alpha1
kuberneteskubernetes
1.14.0:alpha2
kuberneteskubernetes
1.14.0:alpha3
kuberneteskubernetes
1.14.0:beta0
kuberneteskubernetes
1.14.0:beta1
kuberneteskubernetes
1.14.0:beta2
kuberneteskubernetes
1.14.0:rc1
netappcloud_insights
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-github-containernetworking-plugins
bullseye
0.9.0-1
fixed
sid
1.1.1+ds1-3
fixed
trixie
1.1.1+ds1-3
fixed
bookworm
1.1.1+ds1-3
fixed
kubernetes
bullseye
1.20.5+really1.20.2-1
fixed
sid
1.20.5+really1.20.2-1.1
fixed
trixie
1.20.5+really1.20.2-1.1
fixed
bookworm
1.20.5+really1.20.2-1.1
fixed
singularity-container
sid
4.1.5+ds3-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
kubernetes
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
hirsute
ignored
groovy
ignored
focal
needs-triage
eoan
ignored
disco
ignored
cosmic
ignored
bionic
dne
xenial
dne
trusty
dne