Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-hcr5-wv4p-h2g2

Опубликовано: 29 янв. 2025
Источник: github
Github: Прошло ревью
CVSS4: 5.1

Описание

kube-audit-rest's example logging configuration could disclose secret values in the audit log

Impact

What kind of vulnerability is it? Who is impacted? If the "full-elastic-stack" example vector configuration was used for a real cluster, the previous values of kubernetes secrets would have been disclosed in the audit messages.

Patches

Has the problem been patched? What versions should users upgrade to? The example has been updated to fix this in commit 9df8886b4819409f566233adc7c3b7a43a4096ba

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? Replace

if .request.requestKind.kind == "Secret" { del(.request.object.data) .request.object.data.redacted = "REDACTED" del(.request.oldObject.data) .request.oldObject.data.redacted = "REDACTED" }

In the vector "audit-files-json-parser-and-redaction" step with

if .request.requestKind.kind == "Secret" { # Redact the secret data del(.request.object.data) .request.object.data.redacted = "REDACTED" del(.request.oldObject.data) .request.oldObject.data.redacted = "REDACTED" # Remove the previously set secret data - Not bothering to parse it as this annotation shouldn't ever be needed del(.request.object.metadata.annotations.["kubectl.kubernetes.io/last-applied-configuration"]) del(.request.oldObject.metadata.annotations.["kubectl.kubernetes.io/last-applied-configuration"]) }

References

Are there any links users can visit to find out more?

Ссылки

Пакеты

Наименование

github.com/RichardoC/kube-audit-rest

go
Затронутые версииВерсия исправления

< 0.0.0-20250205113217-9df8886b4819

0.0.0-20250205113217-9df8886b4819

EPSS

Процентиль: 15%
0.00048
Низкий

5.1 Medium

CVSS4

CVE ID

CVE-2025-24884

Дефекты

CWE-200
CWE-532

Связанные уязвимости

nvd логотип

CVE-2025-24884

nvd
около 1 года назад

kube-audit-rest is a simple logger of mutation/creation requests to the k8s api. If the "full-elastic-stack" example vector configuration was used for a real cluster, the previous values of kubernetes secrets would have been disclosed in the audit messages. This vulnerability is fixed in 1.0.16.

suse-cvrf логотип

SUSE-SU-2025:0429-1

suse-cvrf
12 месяцев назад

Security update for govulncheck-vulndb

EPSS

Процентиль: 15%
0.00048
Низкий

5.1 Medium

CVSS4

CVE ID

CVE-2025-24884

Дефекты

CWE-200
CWE-532