CVE-2019-10223 — Sensitive Information Exposure in Kubernetes Kube-state-metrics
Severity
6.5MEDIUMNVD
EPSS
1.1%
top 22.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedNov 5
Latest updateMay 24
Description
A security issue was discovered in the kube-state-metrics versions v1.7.0 and v1.7.1. An experimental feature was added to the v1.7.0 release that enabled annotations to be exposed as metrics. By default, the kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default `kubectl` behavior and this new feature can cause the entire secret content to end up in metric labels thus inadvertently exposing the secret content in metrics. This feature has been revert…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6
Affected Packages4 packages
Also affects: Openshift Container Platform 3.11, 4.1, 4.2
🔴Vulnerability Details
5CVEList
▶
📋Vendor Advisories
1Red Hat▶
kube-state-metrics: annotations exposed as metrics in combination with `kubectl` can allow for exposure of secrets↗2019-08-09
💬Community
1Bugzilla▶
CVE-2019-10223 kube-state-metrics: annotations exposed as metrics in combination with `kubectl` can allow for exposure of secrets↗2019-08-13