Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nMzV4LWo2amotOGc3as4AAzD2
@mittwald/kubernetes's secret contents leaked via debug logging
Impact
When debug logging is enabled (via DEBUG
environment variable), the Kubernetes client may log all response bodies into the debug log -- including sensitive data from Secret
resources.
When running in a Kubernetes cluster, this might expose sensitive information to users who are not authorised to access secrets, but have access to Pod logs (either directly using kubectl, or by Pod logs being shipped elsewhere).
Patches
Upgrade to 3.5.0 or newer.
Workarounds
Disable debug logging entirely, or exclude the kubernetes:client
debug item (for example, using DEBUG=*,-kubernetes:client
).
References Permalink: https://github.com/advisories/GHSA-g35x-j6jj-8g7j
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nMzV4LWo2amotOGc3as4AAzD2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 4.4
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-g35x-j6jj-8g7j
References:
- https://github.com/mittwald/node-kubernetes/security/advisories/GHSA-g35x-j6jj-8g7j
- https://github.com/mittwald/node-kubernetes/commit/04f6809fd438417c343d541e57f76f0040e069cd
- https://github.com/mittwald/node-kubernetes/releases/tag/v3.5.0
- https://github.com/advisories/GHSA-g35x-j6jj-8g7j
Blast Radius: 1.3
Affected Packages
npm:@mittwald/kubernetes
Dependent packages: 2Dependent repositories: 2
Downloads: 3,024 last month
Affected Version Ranges: < 3.5.0
Fixed in: 3.5.0
All affected versions: 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.5, 3.4.0, 3.4.1, 3.4.2
All unaffected versions: 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.7.0