Moderate severityNVD Advisory· Published Dec 7, 2020· Updated Sep 17, 2024
Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
CVE-2020-8565
Description
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
k8s.io/client-goGo | >= 0.19.0, < 0.19.6 | 0.19.6 |
k8s.io/client-goGo | >= 0.20.0-alpha.0, < 0.20.0-alpha.2 | 0.20.0-alpha.2 |
k8s.io/client-goGo | >= 0.18.0, < 0.18.14 | 0.18.14 |
k8s.io/client-goGo | < 0.17.16 | 0.17.16 |
k8s.io/kubernetesGo | < 1.20.0-alpha.2 | 1.20.0-alpha.2 |
Affected products
1- Range: <= 1.19.3
Patches
5e99df0e5a75eMerge pull request #95316 from sfowl/mask-token-in-toCurl
1 file changed · +1 −0
staging/src/k8s.io/client-go/transport/round_trippers.go+1 −0 modified@@ -340,6 +340,7 @@ func (r *requestInfo) toCurl() string { headers := "" for key, values := range r.RequestHeaders { for _, value := range values { + value = maskValue(key, value) headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value)) } }
1b8383fc150cMask bearer token in logs when logLevel >= 9
1 file changed · +1 −0
transport/round_trippers.go+1 −0 modified@@ -340,6 +340,7 @@ func (r *requestInfo) toCurl() string { headers := "" for key, values := range r.RequestHeaders { for _, value := range values { + value = maskValue(key, value) headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value)) } }
44e1a07f2d51Mask bearer token in logs when logLevel >= 9
1 file changed · +1 −0
transport/round_trippers.go+1 −0 modified@@ -340,6 +340,7 @@ func (r *requestInfo) toCurl() string { headers := "" for key, values := range r.RequestHeaders { for _, value := range values { + value = maskValue(key, value) headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value)) } }
e8f871a2e5faMask bearer token in logs when logLevel >= 9
1 file changed · +1 −0
transport/round_trippers.go+1 −0 modified@@ -340,6 +340,7 @@ func (r *requestInfo) toCurl() string { headers := "" for key, values := range r.RequestHeaders { for _, value := range values { + value = maskValue(key, value) headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value)) } }
19875a3d5a2eMask bearer token in logs when logLevel >= 9
1 file changed · +1 −0
transport/round_trippers.go+1 −0 modified@@ -340,6 +340,7 @@ func (r *requestInfo) toCurl() string { headers := "" for key, values := range r.RequestHeaders { for _, value := range values { + value = maskValue(key, value) headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value)) } }
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
11- github.com/advisories/GHSA-8cfg-vx93-jvxwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-8565ghsaADVISORY
- github.com/kubernetes/client-go/commit/19875a3d5a2e0d4f51c976a9e0662de3c2c011e3ghsaWEB
- github.com/kubernetes/client-go/commit/1b8383fc150c9b816b0072032cca75754c2734d0ghsaWEB
- github.com/kubernetes/client-go/commit/44e1a07f2d513e375c4b6ee6e890040b47befe86ghsaWEB
- github.com/kubernetes/client-go/commit/e8f871a2e5fadf90fc114565abc0963967f1a373ghsaWEB
- github.com/kubernetes/kubernetes/commit/e99df0e5a75eb6e86123b56d53e9b7ca0fd00419ghsaWEB
- github.com/kubernetes/kubernetes/issues/95623ghsax_refsource_CONFIRMWEB
- github.com/kubernetes/kubernetes/pull/95316ghsaWEB
- groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJghsamailing-listx_refsource_MLISTWEB
- pkg.go.dev/vuln/GO-2021-0064ghsaWEB
News mentions
0No linked articles in our index yet.