CVE-2020-8565
4.7
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Kubernetes | Kubernetes | <= 1.19.3 | affected |
| Kubernetes | Kubernetes | <= 1.18.10 | affected |
| Kubernetes | Kubernetes | <= 1.17.13 | affected |
| Kubernetes | Kubernetes | < 1.20.0-alpha2 | affected |
Weaknesses
- CWE-532: CWE-532 Information Exposure Through Log Files
Workarounds
Do not enable verbose logging in production (log level >= 9), limit access to logs.
ADP Enrichment
CVE Program Container
Additional References
- https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ
- https://github.com/kubernetes/kubernetes/issues/95623
References
- https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ
- https://github.com/kubernetes/kubernetes/issues/95623
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.