CVE-2019-11250

Aliases:GHSA-jmrx-5g74-6v2fGO-2021-0065
Advisory lineage Upstream: 0 Downstream: 3
Modified
Published: 29 Aug 2019, 00:40
Last modified:17 Sept 2024, 02:06

Vulnerability Summary

Overall Risk (default)
medium
26/100
CVSS Score
6.5 MEDIUM
v3.1 (nvd)
EPSS Score
0.81% LOW
1% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

29 Aug 2019, 00:40
Published
Vulnerability first disclosed
17 Sept 2024, 02:06
Last Modified
Vulnerability information updated

Description

The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.

CVSS Metrics

  • v3.1MEDIUMScore: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • v3.0MEDIUMScore: 4.7CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
  • v2.0LOWScore: 3.5AV:N/AC:M/Au:S/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.81% Percentile: 75%

Techniques & Countermeasures

  • CWE-532Insertion of Sensitive Information into Log File

    The product writes sensitive information to a log file.

Affected Systems

  • k8s.ioclient-go

    < 0.17.0

  • k8s.iokubernetes

    < 1.16.0-beta.1

  • kuberneteskubernetes

    < 1.15.3 | 1.15.3 | 1.15.4:beta0 | 1.16.0:alpha1 | 1.16.0:alpha2 | 1.16.0:alpha3 | 1.16.0:beta1 | 1.16.0:beta2 | prior to 1.16

  • redhatopenshift_container_platform

    3.11 | 4.1

References (11)