CVE-2018-1002104

Summary

Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly.

Affected Software

VendorProductVersion RangeStatus
Kubernetesk8s.gcr.io/defaultbackenddefaultbackend < 1.5affected

Weaknesses

  • CWE-215: CWE-215 Information Exposure Through Debug Information

Workarounds

Mask the /metrics endpoint with an Ingress rule so that metrics aren't exposed publicly. See https://github.com/kubernetes/ingress-nginx/issues/1733#issuecomment-358492359

ADP Enrichment

CVE Program Container

Additional References

References