CVE-2019-11243
3.1
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Kubernetes | Kubernetes | v1.12 <= v1.12.4 | affected |
| Kubernetes | Kubernetes | v1.13 <= v1.13.0 | affected |
Weaknesses
- CWE-271: CWE-271 Privilege Dropping / Lowering Errors
Workarounds
Clear the config.WrapTransport and config.Transport fields in addition to calling rest.AnonymousClientConfig()
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/kubernetes/kubernetes/issues/76797
- http://www.securityfocus.com/bid/108053
- https://security.netapp.com/advisory/ntap-20190509-0002/
References
- https://github.com/kubernetes/kubernetes/issues/76797
- http://www.securityfocus.com/bid/108053
- https://security.netapp.com/advisory/ntap-20190509-0002/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.