Moderate severityNVD Advisory· Published Aug 29, 2019· Updated Sep 17, 2024
Kubernetes client-go logs authorization headers at debug verbosity levels
CVE-2019-11250
Description
The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
k8s.io/client-goGo | < 0.17.0 | 0.17.0 |
k8s.io/kubernetesGo | < 1.16.0-beta.1 | 1.16.0-beta.1 |
Affected products
1- Range: prior to 1.16
Patches
14441f1d9c3e9Merge pull request #81330 from tedyu/hide-auth-hdr
3 files changed · +118 −1
staging/src/k8s.io/client-go/transport/round_trippers.go+33 −0 modified@@ -409,6 +409,38 @@ func (rt *debuggingRoundTripper) CancelRequest(req *http.Request) { } } +var knownAuthTypes = map[string]bool{ + "bearer": true, + "basic": true, + "negotiate": true, +} + +// maskValue masks credential content from authorization headers +// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization +func maskValue(key string, value string) string { + if !strings.EqualFold(key, "Authorization") { + return value + } + if len(value) == 0 { + return "" + } + var authType string + if i := strings.Index(value, " "); i > 0 { + authType = value[0:i] + } else { + authType = value + } + if !knownAuthTypes[strings.ToLower(authType)] { + return "<masked>" + } + if len(value) > len(authType)+1 { + value = authType + " <masked>" + } else { + value = authType + } + return value +} + func (rt *debuggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { reqInfo := newRequestInfo(req) @@ -423,6 +455,7 @@ func (rt *debuggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, e klog.Infof("Request Headers:") for key, values := range reqInfo.RequestHeaders { for _, value := range values { + value = maskValue(key, value) klog.Infof(" %s: %s", key, value) } }
staging/src/k8s.io/client-go/transport/round_trippers_test.go+85 −0 modified@@ -35,6 +35,91 @@ func (rt *testRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) return rt.Response, rt.Err } +func TestMaskValue(t *testing.T) { + tcs := []struct { + key string + value string + expected string + }{ + { + key: "Authorization", + value: "Basic YWxhZGRpbjpvcGVuc2VzYW1l", + expected: "Basic <masked>", + }, + { + key: "Authorization", + value: "basic", + expected: "basic", + }, + { + key: "Authorization", + value: "Basic", + expected: "Basic", + }, + { + key: "Authorization", + value: "Bearer cn389ncoiwuencr", + expected: "Bearer <masked>", + }, + { + key: "Authorization", + value: "Bearer", + expected: "Bearer", + }, + { + key: "Authorization", + value: "bearer", + expected: "bearer", + }, + { + key: "Authorization", + value: "bearer ", + expected: "bearer", + }, + { + key: "Authorization", + value: "Negotiate cn389ncoiwuencr", + expected: "Negotiate <masked>", + }, + { + key: "ABC", + value: "Negotiate cn389ncoiwuencr", + expected: "Negotiate cn389ncoiwuencr", + }, + { + key: "Authorization", + value: "Negotiate", + expected: "Negotiate", + }, + { + key: "Authorization", + value: "Negotiate ", + expected: "Negotiate", + }, + { + key: "Authorization", + value: "negotiate", + expected: "negotiate", + }, + { + key: "Authorization", + value: "abc cn389ncoiwuencr", + expected: "<masked>", + }, + { + key: "Authorization", + value: "", + expected: "", + }, + } + for _, tc := range tcs { + maskedValue := maskValue(tc.key, tc.value) + if tc.expected != maskedValue { + t.Errorf("unexpected value %s, given %s.", maskedValue, tc.value) + } + } +} + func TestBearerAuthRoundTripper(t *testing.T) { rt := &testRoundTripper{} req := &http.Request{}
test/e2e/kubectl/kubectl.go+0 −1 modified@@ -722,7 +722,6 @@ metadata: framework.ExpectError(err) gomega.Expect(err).To(gomega.ContainSubstring("Using in-cluster namespace")) gomega.Expect(err).To(gomega.ContainSubstring("Using in-cluster configuration")) - gomega.Expect(err).To(gomega.ContainSubstring("Authorization: Bearer invalid")) gomega.Expect(err).To(gomega.ContainSubstring("Response Status: 401 Unauthorized")) ginkgo.By("trying to use kubectl with invalid server")
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- access.redhat.com/errata/RHSA-2019:4052ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4087ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-jmrx-5g74-6v2fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-11250ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/10/16/2ghsamailing-listx_refsource_MLISTWEB
- github.com/kubernetes/kubernetes/commit/4441f1d9c3e94d9a3d93b4f184a591cab02a5245ghsaWEB
- github.com/kubernetes/kubernetes/issues/81114ghsax_refsource_CONFIRMWEB
- github.com/kubernetes/kubernetes/pull/81330ghsaWEB
- pkg.go.dev/vuln/GO-2021-0065ghsaWEB
- security.netapp.com/advisory/ntap-20190919-0003ghsaWEB
- security.netapp.com/advisory/ntap-20190919-0003/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.