Tim Downey tcdowney
bgeesaman
/ CVE-2019-11253-poc.sh
Last active
December 29, 2022 14:25
CVE-2019-11253 Kubernetes API Server YAML Parsing Remote Denial of Service PoC aka "Billion Laughs"
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # CVE-2019-11253 | |
| # https://github.com/kubernetes/kubernetes/issues/83253 | |
| # Shout out: @raesene for poc collab, @iancoldwater + @mauilion for | |
| # HONKing inspiration and other guidance. | |
| # Description: In Kubernetes 1.13 and below, the default configuration | |
| # is that system:anonymous can request a selfsubjectaccessreview | |
| # via mechanisms such as "kubectl auth can-i". This request can | |
| # include POSTed YAML, and just the act of trying to parse it causes |