CVE-2020-8565
published 2020-12-07CVE-2020-8565: In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs…
PriorityP425medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EPSS
0.51%
39.7th percentile
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.20.0-1 (bookworm) | kubernetes 1.20.0-1 (bookworm) |
| k8s.io | client-go | >= 0 < 0.17.16 | 0.17.16 |
| k8s.io | client-go | >= 0 < 0.20.0-alpha.2 | 0.20.0-alpha.2 |
| k8s.io | client-go | >= 0.18.0 < 0.18.14 | 0.18.14 |
| k8s.io | client-go | >= 0.19.0 < 0.19.6 | 0.19.6 |
| k8s.io | client-go | >= 0.20.0-alpha.0 < 0.20.0-alpha.2 | 0.20.0-alpha.2 |
| k8s.io | kubernetes | >= 0 < 1.20.0-alpha.2 | 1.20.0-alpha.2 |
| kubernetes | kubernetes | >= 0 < 1.20.0-1 | 1.20.0-1 |
| kubernetes | kubernetes | >= 0 < 1.20.0-1 | 1.20.0-1 |
| kubernetes | kubernetes | >= 0 < 1.20.0-1 | 1.20.0-1 |
| kubernetes | kubernetes | >= 0 < 1.20.0-1 | 1.20.0-1 |
| kubernetes | kubernetes | 1.17.0 – 1.17.13 | — |
| kubernetes | kubernetes | 1.18.0 – 1.18.10 | — |
| kubernetes | kubernetes | 1.19.0 – 1.19.3 | — |
| msrc | azl3_local-path-provisioner_0.0.24-5_on_azure_linux_3.0 | — | — |
| msrc | cm1_kubernetes_1.17.13-5_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
osv6.5MEDIUM
vendor_redhat6.5MEDIUM
vendor_msrc5.5MEDIUM
vendor_debian4.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Kubernetes client-go vulnerable to Sensitive Information Leak via Log File
osv·2023-02-06
CVE-2020-8565 [MEDIUM] Kubernetes client-go vulnerable to Sensitive Information Leak via Log File
Kubernetes client-go vulnerable to Sensitive Information Leak via Log File
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.5, <= v1.18.13, <= v1.17.15, < v1.20.0-alpha2.
GHSA
Kubernetes client-go vulnerable to Sensitive Information Leak via Log File
ghsa·2023-02-06
CVE-2020-8565 [MEDIUM] CWE-532 Kubernetes client-go vulnerable to Sensitive Information Leak via Log File
Kubernetes client-go vulnerable to Sensitive Information Leak via Log File
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.5, <= v1.18.13, <= v1.17.15, < v1.20.0-alpha2.
OSV
Unauthorized credential disclosure via debug logs in k8s.io/kubernetes and k8s.io/client-go
osv·2021-04-14·CVSS 6.5
CVE-2020-8565 [MEDIUM] Unauthorized credential disclosure via debug logs in k8s.io/kubernetes and k8s.io/client-go
Unauthorized credential disclosure via debug logs in k8s.io/kubernetes and k8s.io/client-go
Authorization tokens may be inappropriately logged if the verbosity level is set to a debug level. This is due to an incomplete fix for CVE-2019-11250.
OSV
CVE-2020-8565: In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files
osv·2020-12-07·CVSS 5.5
CVE-2020-8565 [MEDIUM] CVE-2020-8565: In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.
Microsoft
Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
vendor_msrc·2020-12-08·CVSS 5.5
CVE-2020-8565 [MEDIUM] CWE-532 Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
kubernetes: kubernetes
Customer Action Required: Yes
Remediation: CBL-Marin
Red Hat
kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
vendor_redhat·2020-10-14·CVSS 6.5
CVE-2020-8565 [MEDIUM] CWE-117 kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.
A flaw was found in kubernetes. In Kubernetes, if the logging level is to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like `kubectl`. Previously, CVE-2019-11250 was assigned for the same issue for logging levels of at least 4.
Statement: OpenShift Container Platform 4 does not support LogLevels higher than 8 (via 'TraceAll'), and is therefore
Debian
CVE-2020-8565: kubernetes - In Kubernetes, if the logging level is set to at least 9, authorization and bear...
vendor_debian·2020·CVSS 4.7
CVE-2020-8565 [MEDIUM] CVE-2020-8565: kubernetes - In Kubernetes, if the logging level is set to at least 9, authorization and bear...
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.
Scope: local
bookworm: resolved (fixed in 1.20.0-1)
bullseye: resolved (fixed in 1.20.0-1)
forky: resolved (fixed in 1.20.0-1)
sid: resolved (fixed in 1.20.0-1)
trixie: resolved (fixed in 1.20.0-1)
No detection rules found.
No public exploits indexed.
2020-12-07
Published