CVE-2019-11243
published 2019-04-22CVE-2019-11243: In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer…
PriorityP342high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
1.49%
70.9th percentile
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | — | — |
| k8s.io | kubernetes | >= 1.12.0 < 1.12.5 | 1.12.5 |
| k8s.io | kubernetes | >= 1.13.0 < 1.13.1 | 1.13.1 |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | 1.12.0 – 1.12.4 | — |
| kubernetes | kubernetes | v1.12 – v1.12.4 | — |
| kubernetes | kubernetes | v1.13 – v1.13.0 | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.03.1LOWCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_debian8.1LOW
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kubernetes: Authentication information exposure in rest.AnonymousClientConfig()
vendor_redhat·2019-04-22·CVSS 8.1
CVE-2019-11243 [HIGH] CWE-200 kubernetes: Authentication information exposure in rest.AnonymousClientConfig()
kubernetes: Authentication information exposure in rest.AnonymousClientConfig()
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()
Statement: This issue does not affect the version of Kubernetes(embedded in heketi) shipped with Red Hat Gluster Storage 3 as it does not contain the vulnerable functionality.
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.10) - Not affected
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.11) - Not affected
Package:
Debian
CVE-2019-11243: kubernetes - In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() meth...
vendor_debian·2019·CVSS 8.1
CVE-2019-11243 [HIGH] CVE-2019-11243: kubernetes - In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() meth...
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
OSV
Kubernetes did not effectively clear service account credentials in k8s.io/kubernetes
osv·2025-05-05
CVE-2019-11243 Kubernetes did not effectively clear service account credentials in k8s.io/kubernetes
Kubernetes did not effectively clear service account credentials in k8s.io/kubernetes
Kubernetes did not effectively clear service account credentials in k8s.io/kubernetes
GHSA
Kubernetes did not effectively clear service account credentials
ghsa·2022-05-24
CVE-2019-11243 [HIGH] CWE-212 Kubernetes did not effectively clear service account credentials
Kubernetes did not effectively clear service account credentials
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()
OSV
Kubernetes did not effectively clear service account credentials
osv·2022-05-24
CVE-2019-11243 [HIGH] Kubernetes did not effectively clear service account credentials
Kubernetes did not effectively clear service account credentials
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-11243 kubernetes:openshift-3.10/origin: kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-29]
bugzilla·2019-05-27·CVSS 8.1
CVE-2019-11243 [HIGH] CVE-2019-11243 kubernetes:openshift-3.10/origin: kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-29]
CVE-2019-11243 kubernetes:openshift-3.10/origin: kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-29]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-29.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit
Bugzilla
CVE-2019-11243 kubernetes:1.1/kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-29]
bugzilla·2019-04-25·CVSS 8.1
CVE-2019-11243 [HIGH] CVE-2019-11243 kubernetes:1.1/kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-29]
CVE-2019-11243 kubernetes:1.1/kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-29]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-29.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussi
Bugzilla
CVE-2019-11243 kubernetes:openshift-3.10/origin: kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-29]
bugzilla·2019-04-25·CVSS 8.1
CVE-2019-11243 [HIGH] CVE-2019-11243 kubernetes:openshift-3.10/origin: kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-29]
CVE-2019-11243 kubernetes:openshift-3.10/origin: kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-29]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-29.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit
Bugzilla
CVE-2019-11243 kubernetes: Authentication information exposure in rest.AnonymousClientConfig()
bugzilla·2019-04-25·CVSS 8.1
CVE-2019-11243 [HIGH] CVE-2019-11243 kubernetes: Authentication information exposure in rest.AnonymousClientConfig()
CVE-2019-11243 kubernetes: Authentication information exposure in rest.AnonymousClientConfig()
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()
Upstream issue:
https://github.com/kubernetes/kubernetes/issues/76797
Discussion:
Created containernetworking-cni tracking bugs for this issue:
Affects: epel-7 [bug 1703224]
Created kubernetes tracking bugs for this issue:
Affects: fedora-all [bug 1703220]
Created kubernetes:1.1/kubernetes tracking bugs for this issue:
Affects: fed
Bugzilla
CVE-2019-11243 kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-all]
bugzilla·2019-04-25·CVSS 8.1
CVE-2019-11243 [HIGH] CVE-2019-11243 kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-all]
CVE-2019-11243 kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affec
Bugzilla
CVE-2019-11243 origin: kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-all]
bugzilla·2019-04-25·CVSS 8.1
CVE-2019-11243 [HIGH] CVE-2019-11243 origin: kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-all]
CVE-2019-11243 origin: kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this iss
Bugzilla
CVE-2019-11243 containernetworking-cni: kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [epel-7]
bugzilla·2019-04-25·CVSS 8.1
CVE-2019-11243 [HIGH] CVE-2019-11243 containernetworking-cni: kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [epel-7]
CVE-2019-11243 containernetworking-cni: kubernetes: Authentication information exposure in rest.AnonymousClientConfig() [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Disc
2019-04-22
Published