Описание
Duplicate Advisory: k8s.io/kube-state-metrics Exposure of Sensitive Information
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-c92w-72c5-9x59. This link is maintained to preserve external references.
Original Description
A security issue was discovered in kube-state-metrics 1.7.x before 1.7.2. An experimental feature was added to v1.7.0 and v1.7.1 that enabled annotations to be exposed as metrics. By default, kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels, thus inadvertently exposing the secret content in metrics.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-17110
- https://github.com/kubernetes/kube-state-metrics/commit/03122fe3e2df49a9a7298b8af921d3c37c430f7f
- https://github.com/kubernetes/kube-state-metrics/commit/2a9ab3a9a0f1c4dbecb6a5577185b33bfac86a96
- https://github.com/kubernetes/kube-state-metrics/releases/tag/v1.7.2
Пакеты
github.com/kubernetes/kube-state-metrics
>= 1.7.0, < 1.7.2
1.7.2
k8s.io/kube-state-metrics
>= 1.7.0, < 1.7.2
1.7.2
Связанные уязвимости
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-10223. Reason: This candidate is a duplicate of CVE-2019-10223. Notes: All CVE users should reference CVE-2019-10223 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage