CVE-2020-8564 — Log File Information Exposure in Kubernetes

CWE-532 — Log File Information Exposure CWE-117 — Improper Output Neutralization for Logs9 documents7 sources

Severity

5.5MEDIUMNVD

CNA4.7

EPSS

0.1%

top 82.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubernetes Github.com Kubernetes Kubernetes K8s.io Kubernetes

Timeline

PublishedDec 7

Latest updateFeb 6

Description

In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶Gok8s.io/kubernetes< 1.20.0-alpha.1

▶CVEListV5kubernetes/kubernetes< 1.19.3+2

▶NVDkubernetes/kubernetes1.17.0 — 1.17.13+2

▶Gogithub.com/kubernetes_kubernetes1.19.0 — 1.19.3+2

▶Debiankubernetes/kubernetes< 1.19.3-1+3

Patches

Patch: groups.google.com ↗Patch: groups.google.com ↗

🔴Vulnerability Details

GHSA

Kubernetes Sensitive Information leak via Log File↗2023-02-06

▶

OSV

Kubernetes Sensitive Information leak via Log File↗2023-02-06

▶

OSV

Sensitive information leak via log file in k8s.io/kubernetes↗2021-04-14

▶

CVEList

Docker config secrets leaked when file is malformed and loglevel >= 4↗2020-12-07

▶

OSV

CVE-2020-8564: In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config↗2020-12-07

▶

📋Vendor Advisories

Red Hat

kubernetes: Docker config secrets leaked when file is malformed and loglevel >= 4↗2020-10-14

▶

Debian

CVE-2020-8564: kubernetes - In Kubernetes clusters using a logging level of at least 4, processing a malform...↗2020

▶

💬Community

Bugzilla

CVE-2020-8564 kubernetes: Docker config secrets leaked when file is malformed and loglevel >= 4↗2020-10-09

▶