CVE-2020-8563 — Log File Information Exposure in Kubernetes

CWE-532 — Log File Information Exposure CWE-117 — Improper Output Neutralization for Logs10 documents8 sources

Severity

5.5MEDIUMNVD

CNA4.7

EPSS

0.1%

top 77.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubernetes Github.com Kubernetes Kubernetes K8s.io Kubernetes

Timeline

PublishedDec 7

Latest updateJun 5

Description

In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶Gok8s.io/kubernetes< 1.19.3

▶CVEListV5kubernetes/kubernetes< 1.19.3

▶NVDkubernetes/kubernetes< 1.19.3

▶Gogithub.com/kubernetes_kubernetes< 1.19.3

Patches

Patch: groups.google.com ↗Patch: groups.google.com ↗

🔴Vulnerability Details

OSV

Sensitive Information leak for VSphere users via Log File in k8s.io/kubernetes↗2024-06-05

▶

GHSA

Sensitive Information leak via Log File in Kubernetes↗2024-04-24

▶

OSV

Sensitive Information leak via Log File in Kubernetes↗2024-04-24

▶

CVEList

Secret leaks in logs for vSphere Provider kube-controller-manager↗2020-12-07

▶

OSV

CVE-2020-8563: In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the clou↗2020-12-07

▶

📋Vendor Advisories

Microsoft

Secret leaks in logs for vSphere Provider kube-controller-manager↗2020-12-08

▶

Red Hat

kubernetes: Secret leaks in kube-controller-manager when using vSphere Provider↗2020-10-14

▶

Debian

CVE-2020-8563: kubernetes - In Kubernetes clusters using VSphere as a cloud provider, with a logging level s...↗2020

▶

💬Community

Bugzilla

CVE-2020-8563 kubernetes: Secret leaks in kube-controller-manager when using vSphere Provider↗2020-10-09

▶