RSS   Vulnerabilities for 'Kube-state-metrics'   RSS

2019-10-03
 
CVE-2019-17110

CWE-200
 

 
A security issue was discovered in kube-state-metrics 1.7.x before 1.7.2. An experimental feature was added to v1.7.0 and v1.7.1 that enabled annotations to be exposed as metrics. By default, kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels, thus inadvertently exposing the secret content in metrics.

 

 >>> Vendor: Kubernetes 12 Products
JAVA
Kubernetes
Minikube
Kube-state-metrics
Cri-o
External-provisioner
External-resizer
External-snapshotter
Nginx ingress controller
Ingress-nginx
Secrets store csi driver
Aws-iam-authenticator


Copyright 2024, cxsecurity.com

 

Back to Top