id: CVE-2019-11253

info:
  name: Kubernetes API Server - YAML Parsing DoS (Billion Laughs)
  author: ritikchaddha
  severity: high
  description: |
    The Kubernetes API server is vulnerable to a denial of service attack via YAML/JSON parsing. An attacker can send a specially crafted YAML/JSON payload that causes exponential memory consumption (Billion Laughs attack), leading to API server crash.
  impact: |
    Attackers can cause the API server to crash or become unavailable by consuming excessive CPU or memory resources.
  remediation: |
    Upgrade to Kubernetes v1.13.12, v1.14.8, v1.15.5, v1.16.2 or later versions with fixed input validation.
  reference:
    - https://gist.github.com/bgeesaman/0e0349e94cd22c48bf14d8a9b7d6b8f2
    - https://github.com/kubernetes/kubernetes/issues/83253
    - https://nvd.nist.gov/vuln/detail/CVE-2019-11253
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    cvss-score: 7.5
    cve-id: CVE-2019-11253
    epss-score: 0.84511
    epss-percentile: 0.99343
    cwe-id: CWE-400
  metadata:
    max-request: 1
    vendor: kubernetes
    product: kubernetes
    shodan-query: http.favicon.hash:-847792508
    fofa-query: icon_hash="-847792508"
  tags: cve,cve2019,kubernetes,yaml,k8s

http:
  - raw:
      - |
        POST /apis/authorization.k8s.io/v1/selfsubjectaccessreviews HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/yaml


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Invalid value"
          - "FieldValueInvalid"
          - "422"
        condition: and
# digest: 4a0a00473045022100fd3fee4e7920f22d1dbbbe35a38e35a31ba2b98b844787ebfc9c25e58a43941a0220348ea31d038ef9936dadf1ac67cfe21d9b1fbe94b7d54dd82bae16db21518f2c:922c64590222798bb761d5b6d8e72950