Platform
kubernetes
Component
kubernetes-api-server
Fixed in
2.1.1
3.1.1
3.1.2
3.1.3
CVE-2019-4119 affects the IBM Cloud Private Kubernetes API server, allowing it to be exploited as an HTTP proxy. This misconfiguration enables attackers to proxy traffic to both internal cluster resources and external IP addresses, potentially bypassing security controls. The vulnerability impacts versions 2.1.0 through 3.1.2, and a fix is available in version 3.1.3.
The primary impact of CVE-2019-4119 is the ability for an attacker to leverage the Kubernetes API server as a proxy. This allows them to intercept and potentially modify traffic destined for internal cluster components or external services. An attacker could use this to exfiltrate sensitive data, perform man-in-the-middle attacks, or even gain access to systems outside the Kubernetes cluster. While the CVSS score is LOW, the potential for bypassing security controls and the broad scope of potential targets make this a significant concern, especially in environments with sensitive data or critical infrastructure.
CVE-2019-4119 was publicly disclosed on May 17, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature makes it relatively straightforward to exploit given access to the API server.
Exploit Status
EPSS
0.26% (49% percentile)
CVSS Vector
The recommended mitigation for CVE-2019-4119 is to upgrade to IBM Cloud Private Kubernetes version 3.1.3 or later, which includes the fix for this proxy misconfiguration. If an immediate upgrade is not feasible, consider implementing network segmentation to restrict access to the API server. Additionally, review and tighten API server access controls to limit who can interact with the API. Monitor API server logs for unusual traffic patterns that might indicate exploitation attempts. After upgrade, confirm the fix by verifying that external IP addresses are no longer accessible through the API server.
Actualizar IBM Cloud Private Kubernetes API server a una versión posterior a 3.1.2. Consultar la documentación de IBM para obtener instrucciones específicas sobre cómo realizar la actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-4119 is a LOW severity vulnerability in IBM Cloud Private Kubernetes API server versions 2.1.0–3.1.2 that allows it to be used as an HTTP proxy, potentially exposing internal and external resources.
If you are running IBM Cloud Private Kubernetes versions 2.1.0, 3.1.0, 3.1.1, or 3.1.2, you are potentially affected by this vulnerability.
Upgrade to IBM Cloud Private Kubernetes version 3.1.3 or later to remediate the vulnerability. Consider network segmentation as a temporary workaround.
There is currently no evidence of active exploitation campaigns targeting CVE-2019-4119, but the vulnerability's nature makes it a potential risk.
Refer to the IBM Security Bulletin for details: https://www.ibm.com/support/kbdoc/firstdoc/security/psirt1939
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.