CVE-2020-8566

Aliases:GHSA-5x96-j797-5qqwGO-2024-2754
Advisory lineage Upstream: 0 Downstream: 5
Modified
Published: 07 Dec 2020, 22:00
Last modified:16 Sept 2024, 20:17

Vulnerability Summary

Overall Risk (default)
low
22/100
CVSS Score
5.5 MEDIUM
v3.1 (nvd)
EPSS Score
0.09% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

07 Dec 2020, 22:00
Published
Vulnerability first disclosed
16 Sept 2024, 20:17
Last Modified
Vulnerability information updated

Description

In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, < v1.17.13.

CVSS Metrics

  • v3.1MEDIUMScore: 4.7CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
  • v3.1MEDIUMScore: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • v3.1MEDIUMScore: 5.3CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
  • v2.0LOWScore: 2.1AV:L/AC:L/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.09% Percentile: 26%

Techniques & Countermeasures

  • CWE-532Insertion of Sensitive Information into Log File

    The product writes sensitive information to a log file.

Affected Systems

  • github.com/kuberneteskubernetes

    < 1.17.13 | ≥ 1.18.0, < 1.18.10 | ≥ 1.19.0, < 1.19.3

  • k8s.iokubernetes

    ≥ 1.19.0, < 1.19.3

  • kuberneteskubernetes

    ≥ 1.17.0, < 1.17.13 | ≥ 1.18.0, < 1.18.10 | ≥ 1.19.0, < 1.19.3 | < 1.19.3 | < 1.18.10 | < 1.17.13

References (11)