CVE-2019-11250 — Log File Information Exposure in Kubernetes

CWE-532 — Log File Information Exposure CWE-117 — Improper Output Neutralization for Logs15 documents9 sources

Severity

6.5MEDIUMNVD

EPSS

0.8%

top 25.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubernetes K8s.io Client-go K8s.io Kubernetes +1 more

Timeline

PublishedAug 29

Latest updateMay 24

Description

The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶Gok8s.io/kubernetes< 1.16.0-beta.1

▶CVEListV5kubernetes/kubernetes< 1.20.0-alpha2+2

▶NVDkubernetes/kubernetes< 1.15.3+3

▶Debiankubernetes/kubernetes< 1.17.4-1+3

▶Gok8s.io/client-go< 0.17.0

Also affects: Openshift Container Platform 3.11, 4.1

🔴Vulnerability Details

OSV

Kubernetes client-go library logs may disclose credentials to unauthorized users↗2022-05-24

▶

GHSA

Kubernetes client-go library logs may disclose credentials to unauthorized users↗2022-05-24

▶

OSV

Unauthorized credential disclosure in k8s.io/kubernetes and k8s.io/client-go↗2021-04-14

▶

OSV

Unauthorized credential disclosure via debug logs in k8s.io/kubernetes and k8s.io/client-go↗2021-04-14

▶

CVEList

Kubernetes client-go logs authorization headers at debug verbosity levels↗2019-08-29

▶

📋Vendor Advisories

Microsoft

Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9↗2020-12-08

▶

Red Hat

kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9↗2020-10-14

▶

Red Hat

kubernetes: Bearer tokens written to logs at high verbosity levels (>= 7)↗2019-08-13

▶

Debian

CVE-2019-11250: kubernetes - The Kubernetes client-go library logs request headers at verbosity levels of 7 o...↗2019

▶

💬Community

HackerOne

CVE-2019-11250 remains in effect.↗2020-11-29

▶

Bugzilla

CVE-2020-8565 kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9↗2020-10-09

▶

Bugzilla

CVE-2019-11250 kubernetes: Bearer tokens written to logs at high verbosity levels (>= 7) [fedora-all]↗2019-08-13

▶

Bugzilla

CVE-2019-11250 kubernetes: Bearer tokens written to logs at high verbosity levels (>= 7)↗2019-08-13

▶