LiveActive security incident?Get immediate response
CVE Record

CVE-2019-11248: Kubernetes kubelet exposes /debug/pprof info on healthz port

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.

MediumCVSS 6.5Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

Affected Kubernetes kubelets could expose Go profiling data through an unauthenticated healthz port. This can reveal operational details such as memory addresses and configuration, and may allow limited denial of service. The issue is medium severity and is not exposed by Kubernetes' default configuration.

Executive priority

Treat as a targeted hygiene item, not an emergency, unless kubelet healthz ports are externally reachable. Prioritize internet-facing or shared-network clusters first.

Technical view

CVE-2019-11248 affects Kubernetes kubelet versions before 1.15.0, 1.14.4, 1.13.8, and 1.12.10. The /debug/pprof endpoint is reachable via the kubelet healthz port without authentication when configured that way, causing low confidentiality and availability impact under CVSS 3.0.

Likely exposure

Exposure is most likely in clusters running affected Kubernetes versions where the kubelet healthz port is reachable from untrusted networks. Default Kubernetes configuration is stated as not exposed.

Exploitation context

The source bundle does not show CISA KEV listing or active exploitation evidence. Practical risk depends on network reachability to the kubelet healthz port and whether debug profiling is exposed there.

Researcher notes

The main research question is configuration reachability. Confirm affected versions, healthz exposure, and unauthenticated pprof availability without collecting sensitive profiling data. Evidence is sufficient for scope and severity, but exploit activity is not established here.

Mitigation direction

  • Upgrade Kubernetes to a non-affected version or later supported release.
  • Restrict network access to kubelet healthz interfaces to trusted administrative paths.
  • Review Kubernetes security announcement and vendor advisories for environment-specific guidance.
  • Avoid exposing kubelet healthz or debugging endpoints to untrusted networks.

Validation and detection

  • Inventory Kubernetes and kubelet versions across all clusters.
  • Confirm whether kubelet healthz ports are reachable from untrusted networks.
  • Review kubelet configuration for debug profiling exposure on healthz.
  • Check cloud, appliance, or vendor Kubernetes distributions against their advisories.
Prepared
Confidence
high
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-419: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Container behavior lookup

The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2019-11248 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.5 (3.0)
Known Exploited
No
Published

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
4Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.5CVSS 3.0MediumCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L3.92.5Primary CVE score

Vulnerability scoring details

Base CVSS 3.0 score

6.5Medium
CVSS 3.0 vector shape for CVE-2019-11248Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
KubernetesKubernetesprior to 1.12.10, prior to 1.13.8, prior to 1.14.4, 1.1, 1.2, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-419 · source CWE mapping

Unprotected Primary Channel

Unprotected Primary Channel represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.