CVE-2019-11243

Name of the Vulnerable Software and Affected Versions Kubernetes versions 1.12.0 through 1.12.4 Kubernetes version 1.13.0

Description The issue concerns the rest.AnonymousClientConfig() method, which is supposed to return a copy of the provided config with credentials removed. However, in the affected versions, this method did not effectively clear service account credentials loaded using rest.InClusterConfig(). This means that sensitive information such as bearer tokens, usernames, passwords, and client certificate/key data was not properly removed.

Recommendations For Kubernetes versions 1.12.0 through 1.12.4, consider updating to a version where the rest.AnonymousClientConfig() method correctly clears service account credentials. For Kubernetes version 1.13.0, consider updating to a version where the rest.AnonymousClientConfig() method correctly clears service account credentials. As a temporary workaround, consider restricting the use of the rest.AnonymousClientConfig() method until a patch is available.