CVE-2019-17110

Name of the Vulnerable Software and Affected Versions kube-state-metrics versions v1.7.0 through v1.7.1

Description A security issue was discovered in kube-state-metrics where an experimental feature added to versions v1.7.0 and v1.7.1 enabled annotations to be exposed as metrics. By default, kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels, thus inadvertently exposing the secret content in metrics.

Recommendations For versions v1.7.0 and v1.7.1, upgrade to the v1.7.2 release as soon as possible to resolve the issue. As a temporary workaround, consider disabling the experimental feature that exposes annotations as metrics until the patch is applied. Restrict access to sensitive metrics to minimize the risk of exploitation. Avoid using the default kubectl behavior that can cause secret content to be exposed in metric labels until the issue is resolved.