CVE-2019-11250
published 2019-08-29CVE-2019-11250: The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or…
medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.17.4-1 (bookworm) | kubernetes 1.17.4-1 (bookworm) |
| k8s.io | client-go | >= 0 < 0.20.0-alpha.2 | 0.20.0-alpha.2 |
| k8s.io | client-go | >= 0 < 0.17.0 | 0.17.0 |
| k8s.io | kubernetes | >= 0 < 1.16.0-beta.1 | 1.16.0-beta.1 |
| kubernetes | kubernetes | < 1.20.0-alpha2 | 1.20.0-alpha2 |
| kubernetes | kubernetes | < 1.15.3 | 1.15.3 |
| kubernetes | kubernetes | <= 1.19.3 | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | >= 0 < 1.17.4-1 | 1.17.4-1 |
| kubernetes | kubernetes | >= 0 < 1.17.4-1 | 1.17.4-1 |
| kubernetes | kubernetes | >= 0 < 1.17.4-1 | 1.17.4-1 |
| kubernetes | kubernetes | >= 0 < 1.17.4-1 | 1.17.4-1 |
| msrc | azl3_local-path-provisioner_0.0.24-5_on_azure_linux_3.0 | — | — |
| msrc | cm1_kubernetes_1.17.13-5_on_cbl_mariner_1.0 | — | — |
| redhat | openshift_container_platform | — | — |
| redhat | openshift_container_platform | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
osv6.5MEDIUM