Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJ2NngtZnJ3OC03cjdm

Moderate EPSS: 0.00241% (0.63534 Percentile) EPSS:
Permalink JSON

Duplicate Advisory: k8s.io/kube-state-metrics Exposure of Sensitive Information

Affected Packages Affected Versions Fixed Versions
go:k8s.io/kube-state-metrics >= 1.7.0, < 1.7.2 1.7.2
88 Dependent packages
1,016 Dependent repositories

Affected Version Ranges

All affected versions

1.7.0, 1.7.1

All unaffected versions

0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.7.2, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8
go:github.com/kubernetes/kube-state-metrics >= 1.7.0, < 1.7.2 1.7.2
0 Dependent packages
0 Dependent repositories

Affected Version Ranges

All affected versions

1.7.0, 1.7.1

All unaffected versions

0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.7.2, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-c92w-72c5-9x59. This link is maintained to preserve external references.

Original Description

A security issue was discovered in kube-state-metrics 1.7.x before 1.7.2. An experimental feature was added to v1.7.0 and v1.7.1 that enabled annotations to be exposed as metrics. By default, kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels, thus inadvertently exposing the secret content in metrics.

References:

Identifiers

GHSA-2v6x-frw8-7r7f

CVE-2019-17110

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00241

EPSS Percentile: 0.63534

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/kubernetes/kube-state-metrics

Date and time

Published

about 4 years ago

Updated

over 1 year ago

Withdrawn

over 1 year ago

API

JSON