CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

The API server mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges).

Vulnerable versions:
Kubernetes 1.7.x-1.12.x
Kubernetes 1.13.0-1.13.8
Kubernetes 1.14.0-1.14.4
Kubernetes 1.15.0-1.15.1

Vulnerable configurations:
All clusters that have rolebindings to roles and clusterroles that include authorization rules for cluster-scoped custom resources.

Vulnerability impact:
A user with access to custom resources in a single namespace can access custom resources with cluster scope.

Mitigations prior to upgrading:
To mitigate, remove authorization rules that grant access to cluster-scoped resources within namespaces. For example, RBAC roles and clusterroles intended to be referenced by namespaced rolebindings should not grant access to resources:[*], apiGroups:[*], or grant access to cluster-scoped custom resources.

Fixed versions:
Fixed in v1.13.9 by #80852
Fixed in v1.14.5 by #80851
Fixed in v1.15.2 by #80850
Fixed in master by #80750

Fix impact:
Permission to the correct scope will be required to access cluster-scoped custom resources.

Acknowledgements:
This issue was discovered by Prabu Shyam of Verizon Media. Thanks to Stefan Schimanski for the fix, to David Eads for the fix review, and to the release managers for creating the security releases.