CVE-2019-10223

Name of the Vulnerable Software and Affected Versions: kube-state-metrics versions v1.7.0 through v1.7.1

Description: A security issue was discovered in kube-state-metrics where an experimental feature added to versions v1.7.0 and v1.7.1 enabled annotations to be exposed as metrics. By default, kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels, thus inadvertently exposing the secret content in metrics.

Recommendations: For versions v1.7.0 and v1.7.1, upgrade to the v1.7.2 release as soon as possible. As a temporary workaround, consider disabling the experimental feature that exposes annotations as metrics until a patch is available. Restrict access to sensitive information in metric labels to minimize the risk of exploitation.