cvedb.io
CVE-2019-9946
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2019-04-02T18:30:26.583 · Last modified 2026-06-17T02:44:54.430

Summary

Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.

Affected products

cncf — portmap

Does this affect you?

Add your gear to cvedb and we'll alert you only when cncf ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.