Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-11252

Опубликовано: 04 мар. 2020
Источник: redhat
CVSS3: 5.9
EPSS Низкий

Описание

The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes.

A flaw was found in Kubernetes that allows the logging of credentials when mounting AzureFile and CephFS volumes. This flaw allows an attacker to access kubelet logs, read the credentials, and use them to access other services. The highest threat from this vulnerability is to confidentiality.

Отчет

OpenShift Container Platform (OCP) included the upstream patch for this flaw in the release of version 4.5. Prior versions are affected as OCP 4 supports AzureFile volumes and OCP 3 supports both AzureFile and CephFS volumes. OCP clusters not using these volume types are not vulnerable.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenShift Container Platform 3.11atomic-openshiftWill not fix
Red Hat Openshift Container Storage 4ocs4/cephcsi-rhel8Not affected
Red Hat Openshift Container Storage 4ocs4/ocs-must-gather-rhel8Not affected
Red Hat Openshift Container Storage 4ocs4/ocs-rhel8-operatorNot affected
Red Hat Openshift Container Storage 4ocs4/rook-ceph-rhel8-operatorNot affected
Red Hat Storage 3heketiAffected
Red Hat OpenShift Container Platform 4.5openshift4/ose-hyperkubeFixedRHSA-2020:241213.07.2020
Red Hat OpenShift Container Platform 4.5openshiftFixedRHSA-2020:241313.07.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-209
https://bugzilla.redhat.com/show_bug.cgi?id=1860158kubernetes: credential leak in kube-controller-manager via error messages in mount failure logs and events for AzureFile and CephFS volumes

EPSS

Процентиль: 57%
0.00355
Низкий

5.9 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2019-11252

CVSS3: 5.9
ubuntu
почти 5 лет назад

The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes.

nvd логотип

CVE-2019-11252

CVSS3: 5.9
nvd
почти 5 лет назад

The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes.

debian логотип

CVE-2019-11252

CVSS3: 5.9
debian
почти 5 лет назад

The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulne ...

EPSS

Процентиль: 57%
0.00355
Низкий

5.9 Medium

CVSS3

Уязвимость CVE-2019-11252