CVE-2020-8565 — Improper Output Neutralization for Logs in Kubernetes

CWE-117 — Improper Output Neutralization for Logs CWE-532 — Log File Information Exposure10 documents8 sources

Severity

5.5MEDIUMNVD

CNA6.5OSV6.5

EPSS

0.1%

top 81.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubernetes K8s.io Client-go K8s.io Kubernetes

Timeline

PublishedDec 7

Latest updateFeb 6

Description

In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶Gok8s.io/client-go0.19.0 — 0.19.6+4

▶Gok8s.io/kubernetes< 1.20.0-alpha.2

▶CVEListV5kubernetes/kubernetes< 1.20.0-alpha2+3

▶Debiankubernetes/kubernetes< 1.20.0-1+3

▶NVDkubernetes/kubernetes1.17.0 — 1.17.13+2

Patches

Patch: groups.google.com ↗Patch: groups.google.com ↗

🔴Vulnerability Details

OSV

Kubernetes client-go vulnerable to Sensitive Information Leak via Log File↗2023-02-06

▶

GHSA

Kubernetes client-go vulnerable to Sensitive Information Leak via Log File↗2023-02-06

▶

OSV

Unauthorized credential disclosure via debug logs in k8s.io/kubernetes and k8s.io/client-go↗2021-04-14

▶

CVEList

Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9↗2020-12-07

▶

OSV

CVE-2020-8565: In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files↗2020-12-07

▶

📋Vendor Advisories

Microsoft

Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9↗2020-12-08

▶

Red Hat

kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9↗2020-10-14

▶

Debian

CVE-2020-8565: kubernetes - In Kubernetes, if the logging level is set to at least 9, authorization and bear...↗2020

▶

💬Community

Bugzilla

CVE-2020-8565 kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9↗2020-10-09

▶