CVE-2019-11243

Summary

In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()

Affected Software

VendorProductVersion RangeStatus
KubernetesKubernetesv1.12 <= v1.12.4affected
KubernetesKubernetesv1.13 <= v1.13.0affected

Weaknesses

  • CWE-271: CWE-271 Privilege Dropping / Lowering Errors

Workarounds

Clear the config.WrapTransport and config.Transport fields in addition to calling rest.AnonymousClientConfig()

ADP Enrichment

CVE Program Container

Additional References

References