Moritz S

Name of the Vulnerable Software and Affected Versions: kube-state-metrics versions v1.7.0 through v1.7.1 Description: A security issue was discovered in kube-state-metrics where an experimental feature added to versions v1.7.0 and v1.7.1 enabled annotations to be exposed as metrics. By default, kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default `kubectl` behavior and this new feature can cause the entire secret content to end up in metric labels, thus inadvertently exposing the secret content in metrics. Recommendations: For versions v1.7.0 and v1.7.1, upgrade to the v1.7.2 release as soon as possible. As a temporary workaround, consider disabling the experimental feature that exposes annotations as metrics until a patch is available. Restrict access to sensitive information in metric labels to minimize the risk of exploitation.