PT-2019-12216 · Kubernetes+1 · Kubernetes+1

Published

2019-08-29

Updated

2022-05-24

CVE-2019-11250

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Kubernetes components versions prior to 1.16.0

Description The issue concerns the logging of request headers in the Kubernetes client-go library at high verbosity levels, which can lead to the disclosure of credentials to unauthorized users via logs or command output. This affects components that use basic or bearer token authentication and run at high verbosity levels.

Recommendations For versions prior to 1.16.0, consider reducing the verbosity level to prevent sensitive information from being logged. As a temporary workaround, restrict access to log files to minimize the risk of exploitation. Avoid running affected components at high verbosity levels until the issue is resolved.

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532

Related Identifiers

ALT-PU-2019-2792

ALT-PU-2019-2794

CVE-2019-11250

GHSA-JMRX-5G74-6V2F

GO-2021-0065

RHSA-2019:4052

RHSA-2019:4087

Affected Products

Alt Linux

Kubernetes

PT-2019-12216 · Kubernetes+1 · Kubernetes+1

CVE-2019-11250

Weakness Enumeration

Related Identifiers

Affected Products

References · 17