Security readout for executives and security teams
Plain-English summary
Affected Kubernetes kubelets could expose Go profiling data through an unauthenticated healthz port. This can reveal operational details such as memory addresses and configuration, and may allow limited denial of service. The issue is medium severity and is not exposed by Kubernetes' default configuration.
Executive priority
Treat as a targeted hygiene item, not an emergency, unless kubelet healthz ports are externally reachable. Prioritize internet-facing or shared-network clusters first.
Technical view
CVE-2019-11248 affects Kubernetes kubelet versions before 1.15.0, 1.14.4, 1.13.8, and 1.12.10. The /debug/pprof endpoint is reachable via the kubelet healthz port without authentication when configured that way, causing low confidentiality and availability impact under CVSS 3.0.
Likely exposure
Exposure is most likely in clusters running affected Kubernetes versions where the kubelet healthz port is reachable from untrusted networks. Default Kubernetes configuration is stated as not exposed.
Exploitation context
The source bundle does not show CISA KEV listing or active exploitation evidence. Practical risk depends on network reachability to the kubelet healthz port and whether debug profiling is exposed there.
Researcher notes
The main research question is configuration reachability. Confirm affected versions, healthz exposure, and unauthenticated pprof availability without collecting sensitive profiling data. Evidence is sufficient for scope and severity, but exploit activity is not established here.
Mitigation direction
- Upgrade Kubernetes to a non-affected version or later supported release.
- Restrict network access to kubelet healthz interfaces to trusted administrative paths.
- Review Kubernetes security announcement and vendor advisories for environment-specific guidance.
- Avoid exposing kubelet healthz or debugging endpoints to untrusted networks.
Validation and detection
- Inventory Kubernetes and kubelet versions across all clusters.
- Confirm whether kubelet healthz ports are reachable from untrusted networks.
- Review kubelet configuration for debug profiling exposure on healthz.
- Check cloud, appliance, or vendor Kubernetes distributions against their advisories.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-419: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupContainer behavior lookup
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2019-11248 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 6.5 (3.0)
- Known Exploited
- No
- Published
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L3.92.5Primary CVE scoreVulnerability scoring details
Base CVSS 3.0 score
6.5MediumVector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Source materials
- CVE List V5 sourceCVE List V5
- https://github.com/kubernetes/kubernetes/issues/81023CVE reference · x_refsource_CONFIRM
- CVE-2019-11248: /debug/pprof exposed on kubelet's healthz portCVE reference · mailing-list, x_refsource_MLIST
- https://security.netapp.com/advisory/ntap-20190919-0003/CVE reference · x_refsource_CONFIRM
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Unprotected Primary Channel
Unprotected Primary Channel represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
