Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-8563

Опубликовано: 14 окт. 2020
Источник: redhat
CVSS3: 6.3
EPSS Низкий

Описание

In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3.

A flaw was found in kubernetes. Clusters running on VSphere, using VSphere as a cloud provider a with logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log.

Отчет

OpenShift Container Platform (OCP) versions before 4.6 are not affected by this vulnerability as they are based on Kubernetes versions before 1.19. Only Kubernetes versions 1.19.0 through 1.19.2 are affected by this vulnerability.

Меры по смягчению последствий

Ensure that the logging level is below 4. Additionally, protect unauthorized access to cluster logs. For OCP, the logging level for core components can be configured using operators, e.g. for kube-controller-manager: https://docs.openshift.com/container-platform/latest/rest_api/operator_apis/kubecontrollermanager-operator-openshift-io-v1.html#specification In OCP, a logging level of "Debug" is equivalent to 4: https://github.com/openshift/api/blob/master/operator/v1/types.go#L96 The default logging level is "Normal", which is equivalent to 2. Clusters running with the default level are not vulnerable to this issue.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenShift Container Platform 3.11atomic-openshiftNot affected
Red Hat Storage 3heketiNot affected
Red Hat OpenShift Container Platform 4.6openshiftFixedRHSA-2020:526014.12.2020
Red Hat OpenShift Container Platform 4.7openshift4/ose-hyperkubeFixedRHSA-2020:563324.02.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-117
https://bugzilla.redhat.com/show_bug.cgi?id=1886635kubernetes: Secret leaks in kube-controller-manager when using vSphere Provider

EPSS

Процентиль: 25%
0.00081
Низкий

6.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-8563

CVSS3: 4.7
ubuntu
больше 4 лет назад

In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3.

nvd логотип

CVE-2020-8563

CVSS3: 4.7
nvd
больше 4 лет назад

In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3.

msrc логотип

CVE-2020-8563

CVSS3: 5.5
msrc
больше 4 лет назад

Описание отсутствует

debian логотип

CVE-2020-8563

CVSS3: 4.7
debian
больше 4 лет назад

In Kubernetes clusters using VSphere as a cloud provider, with a loggi ...

github логотип

GHSA-5xfg-wv98-264m

CVSS3: 6.3
github
около 1 года назад

Sensitive Information leak via Log File in Kubernetes

EPSS

Процентиль: 25%
0.00081
Низкий

6.3 Medium

CVSS3