The Kubernetes API server mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges).
Acknowledgments: Name: the Kubernetes Product Security Committee
Upstream Issue: https://github.com/kubernetes/kubernetes/issues/80983
External References: https://groups.google.com/forum/#!topic/kubernetes-security-discuss/Vf31dXp0EJc
Created kubernetes tracking bugs for this issue: Affects: fedora-all [bug 1737646]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2504 https://access.redhat.com/errata/RHSA-2019:2504
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11247
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.10 Via RHSA-2019:2690 https://access.redhat.com/errata/RHSA-2019:2690
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.9 Via RHSA-2019:2769 https://access.redhat.com/errata/RHSA-2019:2769