CVE-2019-17110 – k8s.io/kube-state-metrics

Package

Manager: go
Name: k8s.io/kube-state-metrics
Vulnerable Version: <0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

Duplicate Advisory: k8s.io/kube-state-metrics Exposure of Sensitive Information # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-c92w-72c5-9x59. This link is maintained to preserve external references. # Original Description A security issue was discovered in kube-state-metrics 1.7.x before 1.7.2. An experimental feature was added to v1.7.0 and v1.7.1 that enabled annotations to be exposed as metrics. By default, kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels, thus inadvertently exposing the secret content in metrics.

Metadata

Created: 2021-05-18T15:38:54Z
Modified: 2024-01-23T17:50:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2v6x-frw8-7r7f/GHSA-2v6x-frw8-7r7f.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-2v6x-frw8-7r7f
Finding: N/A
Auto approve: 0