CVE-2019-11250

State: PUBLISHED · Published: 2019-08-29 · Updated: 2024-09-17 · Assigner: kubernetes

Description

The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.

CWE

CWE-532 — CWE-532: Inclusion of Sensitive Information in Log Files

Affected

Kubernetes / Kubernetes — v=prior to 1.16 [affected]

CVSS

3.0 score=4.7 severity=MEDIUM CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References

https://github.com/kubernetes/kubernetes/issues/81114 x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20190919-0003/ x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2019:4052 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4087 vendor-advisory, x_refsource_REDHAT
http://www.openwall.com/lists/oss-security/2020/10/16/2 mailing-list, x_refsource_MLIST

Source

cvelistV5-main/cves/2019/11xxx/CVE-2019-11250.json