cvelist/2020/8xxx/CVE-2020-8565.json

{
    "CVE_data_meta": {
        "ASSIGNER": "security@kubernetes.io",
        "DATE_PUBLIC": "2020-10-15T04:00:00.000Z",
        "ID": "CVE-2020-8565",
        "STATE": "PUBLIC",
        "TITLE": "Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9"
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "Kubernetes",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Kubernetes",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_value": "<= 1.19.3"
                                        },
                                        {
                                            "version_value": "<= 1.18.10"
                                        },
                                        {
                                            "version_value": "<= 1.17.13"
                                        },
                                        {
                                            "version_value": "< 1.20.0-alpha2"
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "credit": [
        {
            "lang": "eng",
            "value": "Patrick Rhomberg (purelyapplied)"
        }
    ],
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2."
            }
        ]
    },
    "generator": {
        "engine": "Vulnogram 0.0.9"
    },
    "impact": {
        "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
        }
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-532 Information Exposure Through Log Files"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "name": "Multiple secret leaks when verbose logging is enabled",
                "refsource": "MLIST",
                "url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"
            },
            {
                "name": "https://github.com/kubernetes/kubernetes/issues/95623",
                "refsource": "CONFIRM",
                "url": "https://github.com/kubernetes/kubernetes/issues/95623"
            }
        ]
    },
    "source": {
        "defect": [
            "https://github.com/kubernetes/kubernetes/issues/95623"
        ],
        "discovery": "EXTERNAL"
    },
    "work_around": [
        {
            "lang": "eng",
            "value": "Do not enable verbose logging in production (log level >= 9), limit access to logs."
        }
    ]
}
"-Synchronized-Data." 2020-02-03 19:01:11 +00:00			`{`
			`"CVE_data_meta": {`
add CVE details for 4 log leak issues 2020-10-22 16:05:45 -04:00			`"ASSIGNER": "security@kubernetes.io",`
			`"DATE_PUBLIC": "2020-10-15T04:00:00.000Z",`
"-Synchronized-Data." 2020-02-03 19:01:11 +00:00			`"ID": "CVE-2020-8565",`
add CVE details for 4 log leak issues 2020-10-22 16:05:45 -04:00			`"STATE": "PUBLIC",`
			`"TITLE": "Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9"`
"-Synchronized-Data." 2020-02-03 19:01:11 +00:00			`},`
add CVE details for 4 log leak issues 2020-10-22 16:05:45 -04:00			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
"-Synchronized-Data." 2020-12-07 23:01:54 +00:00			`"vendor_name": "Kubernetes",`
add CVE details for 4 log leak issues 2020-10-22 16:05:45 -04:00			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "Kubernetes",`
			`"version": {`
			`"version_data": [`
			`{`
"-Synchronized-Data." 2020-12-07 23:01:54 +00:00			`"version_value": "<= 1.19.3"`
add CVE details for 4 log leak issues 2020-10-22 16:05:45 -04:00			`},`
			`{`
"-Synchronized-Data." 2020-12-07 23:01:54 +00:00			`"version_value": "<= 1.18.10"`
add CVE details for 4 log leak issues 2020-10-22 16:05:45 -04:00			`},`
			`{`
"-Synchronized-Data." 2020-12-07 23:01:54 +00:00			`"version_value": "<= 1.17.13"`
add CVE details for 4 log leak issues 2020-10-22 16:05:45 -04:00			`},`
			`{`
"-Synchronized-Data." 2020-12-07 23:01:54 +00:00			`"version_value": "< 1.20.0-alpha2"`
add CVE details for 4 log leak issues 2020-10-22 16:05:45 -04:00			`}`
			`]`
			`}`
			`}`
			`]`
"-Synchronized-Data." 2020-12-07 23:01:54 +00:00			`}`
add CVE details for 4 log leak issues 2020-10-22 16:05:45 -04:00			`}`
			`]`
			`}`
			`},`
			`"credit": [`
			`{`
			`"lang": "eng",`
			`"value": "Patrick Rhomberg (purelyapplied)"`
			`}`
			`],`
			`"data_format": "MITRE",`
			`"data_type": "CVE",`
			`"data_version": "4.0",`
"-Synchronized-Data." 2020-02-03 19:01:11 +00:00			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
"-Synchronized-Data." 2020-12-07 23:01:54 +00:00			`"value": "In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2."`
add CVE details for 4 log leak issues 2020-10-22 16:05:45 -04:00			`}`
			`]`
			`},`
			`"generator": {`
			`"engine": "Vulnogram 0.0.9"`
			`},`
			`"impact": {`
			`"cvss": {`
			`"attackComplexity": "HIGH",`
			`"attackVector": "LOCAL",`
			`"availabilityImpact": "NONE",`
			`"baseScore": 4.7,`
			`"baseSeverity": "MEDIUM",`
			`"confidentialityImpact": "HIGH",`
			`"integrityImpact": "NONE",`
			`"privilegesRequired": "LOW",`
			`"scope": "UNCHANGED",`
			`"userInteraction": "NONE",`
			`"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",`
			`"version": "3.1"`
			`}`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "CWE-532 Information Exposure Through Log Files"`
			`}`
			`]`
			`}`
			`]`
			`},`
			`"references": {`
			`"reference_data": [`
			`{`
			`"name": "Multiple secret leaks when verbose logging is enabled",`
			`"refsource": "MLIST",`
			`"url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"`
"-Synchronized-Data." 2020-12-07 23:01:54 +00:00			`},`
			`{`
			`"name": "https://github.com/kubernetes/kubernetes/issues/95623",`
			`"refsource": "CONFIRM",`
			`"url": "https://github.com/kubernetes/kubernetes/issues/95623"`
"-Synchronized-Data." 2020-02-03 19:01:11 +00:00			`}`
			`]`
add CVE details for 4 log leak issues 2020-10-22 16:05:45 -04:00			`},`
			`"source": {`
			`"defect": [`
			`"https://github.com/kubernetes/kubernetes/issues/95623"`
			`],`
			`"discovery": "EXTERNAL"`
			`},`
			`"work_around": [`
			`{`
			`"lang": "eng",`
			`"value": "Do not enable verbose logging in production (log level >= 9), limit access to logs."`
			`}`
			`]`
"-Synchronized-Data." 2020-02-03 19:01:11 +00:00			`}`