logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-24884 github.com/richardoc/kube-audit-rest

Package

Manager: go
Name: github.com/richardoc/kube-audit-rest
Vulnerable Version: >=0 <0.0.0-20250205113217-9df8886b4819

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.00035 pctl0.08704

Details

kube-audit-rest's example logging configuration could disclose secret values in the audit log ### Impact _What kind of vulnerability is it? Who is impacted?_ If the "full-elastic-stack" example vector configuration was used for a real cluster, the previous values of kubernetes secrets would have been disclosed in the audit messages. ### Patches _Has the problem been patched? What versions should users upgrade to?_ The example has been updated to fix this in commit 9df8886b4819409f566233adc7c3b7a43a4096ba ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Replace ```yaml if .request.requestKind.kind == "Secret" { del(.request.object.data) .request.object.data.redacted = "REDACTED" del(.request.oldObject.data) .request.oldObject.data.redacted = "REDACTED" } ``` In the vector "audit-files-json-parser-and-redaction" step with ```yaml if .request.requestKind.kind == "Secret" { # Redact the secret data del(.request.object.data) .request.object.data.redacted = "REDACTED" del(.request.oldObject.data) .request.oldObject.data.redacted = "REDACTED" # Remove the previously set secret data - Not bothering to parse it as this annotation shouldn't ever be needed del(.request.object.metadata.annotations.["kubectl.kubernetes.io/last-applied-configuration"]) del(.request.oldObject.metadata.annotations.["kubectl.kubernetes.io/last-applied-configuration"]) } ``` ### References _Are there any links users can visit to find out more?_

Metadata

Created: 2025-01-29T20:47:51Z
Modified: 2025-02-05T16:28:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-hcr5-wv4p-h2g2/GHSA-hcr5-wv4p-h2g2.json
CWE IDs: ["CWE-200", "CWE-532"]
Alternative ID: GHSA-hcr5-wv4p-h2g2
Finding: F038
Auto approve: 1