Back to KEVs

CVE-2019-11248

Kubernetes kubelet exposes /debug/pprof info on healthz port

Basic Information

CVE State
PUBLISHED
Reserved Date
April 17, 2019
Published Date
August 29, 2019
Last Updated
September 17, 2024
Vendor
Kubernetes
Product
Kubernetes
Description
The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.

CVSS Scores

CVSS v3.0

6.5 - MEDIUM

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

EPSS Score

Score
90.84% (Percentile: 99.59%) as of 2025-04-29

Exploit Status

Exploited in the Wild
Yes (added 2025-04-24 00:00:00 UTC) Source

References

https://github.com/kubernetes/kubernetes/issues/81023 https://groups.google.com/d/msg/kubernetes-security-announce/pKELclHIov8/BEDtRELACQAJ https://security.netapp.com/advisory/ntap-20190919-0003/

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-04-24 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-11248.yaml 2025-04-26 00:00:00 UTC