Vulnerability CVE-2019-11250


Published: 2019-08-28   Modified: 2019-08-29

Description:
The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.

Type:

CWE-532

(Information Exposure Through Log Files)

CVSS2 => (AV:N/AC:M/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Kubernetes -> Kubernetes 

 References:
https://github.com/kubernetes/kubernetes/issues/81114
https://security.netapp.com/advisory/ntap-20190919-0003/

Copyright 2020, cxsecurity.com

 

Back to Top