Kubernetes client-go vulnerable to Sensitive Information Leak via Log File · CVE-2020-8565 · GitHub Advisory Database · GitHub

Kubernetes client-go vulnerable to Sensitive Information Leak via Log File

Moderate severity GitHub Reviewed Published Feb 6, 2023 to the GitHub Advisory Database • Updated May 20, 2024

Package

k8s.io/client-go (Go)

Affected versions

>= 0.19.0, < 0.19.6

>= 0.20.0-alpha.0, < 0.20.0-alpha.2

>= 0.18.0, < 0.18.14

< 0.17.16

Patched versions

0.19.6

0.20.0-alpha.2

0.18.14

0.17.16

k8s.io/kubernetes (Go)

< 1.20.0-alpha.2

1.20.0-alpha.2

Description

In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.5, <= v1.18.13, <= v1.17.15, < v1.20.0-alpha2.

References

Published to the GitHub Advisory Database Feb 6, 2023

Reviewed Feb 6, 2023

Last updated May 20, 2024

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Local

Attack complexity

High

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N