CVE-2018-1002104
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Kubernetes | k8s.gcr.io/defaultbackend | defaultbackend < 1.5 | affected |
Weaknesses
- CWE-215: CWE-215 Information Exposure Through Debug Information
Workarounds
Mask the /metrics endpoint with an Ingress rule so that metrics aren't exposed publicly. See https://github.com/kubernetes/ingress-nginx/issues/1733#issuecomment-358492359
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.