CVE-2019-17110 — Sensitive Information Exposure in Kubernetes Kube-state-metrics

CWE-200 — Sensitive Information Exposure4 documents2 sources

Severity

—N/A

No vector

EPSS

No EPSS data

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Kubernetes Kube-state-metrics K8s.io Kube-state-metrics

Timeline

PublishedMay 18

Latest updateMay 24

Description

Exposure of sensitive information in k8s.io/kube-state-metrics Exposing annotations as metrics can leak secrets. An experimental feature of kube-state-metrics enables annotations to be exposed as metrics. By default, metrics only expose metadata about secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels.

Affected Packages2 packages

▶Gok8s.io/kube-state-metrics1.7.0 — 1.7.2

▶Gogithub.com/kubernetes_kube-state-metrics1.7.0 — 1.7.2

🔴Vulnerability Details

OSV

kube-state-metrics may expose secret content in metrics↗2022-05-24

▶

OSV

Exposure of sensitive information in k8s.io/kube-state-metrics↗2021-05-18

▶

OSV

Duplicate Advisory: k8s.io/kube-state-metrics Exposure of Sensitive Information↗2021-05-18

▶

GHSA

Duplicate Advisory: k8s.io/kube-state-metrics Exposure of Sensitive Information↗2021-05-18

▶