mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-08-04 08:44:25 +00:00
add CVE details for 4 log leak issues
This commit is contained in:
parent
9880e65016
commit
e5010d41e9
@ -1,18 +1,107 @@
|
||||
{
|
||||
"data_type": "CVE",
|
||||
"data_format": "MITRE",
|
||||
"data_version": "4.0",
|
||||
"CVE_data_meta": {
|
||||
"ASSIGNER": "security@kubernetes.io",
|
||||
"DATE_PUBLIC": "2020-10-15T04:00:00.000Z",
|
||||
"ID": "CVE-2020-8563",
|
||||
"ASSIGNER": "cve@mitre.org",
|
||||
"STATE": "RESERVED"
|
||||
"STATE": "PUBLIC",
|
||||
"TITLE": "Secret leaks in logs for vSphere Provider kube-controller-manager"
|
||||
},
|
||||
"affects": {
|
||||
"vendor": {
|
||||
"vendor_data": [
|
||||
{
|
||||
"product": {
|
||||
"product_data": [
|
||||
{
|
||||
"product_name": "Kubernetes",
|
||||
"version": {
|
||||
"version_data": [
|
||||
{
|
||||
"version_affected": "<",
|
||||
"version_value": "1.19.3"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"vendor_name": "Kubernetes"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"credit": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Kaizhe Huang (derek0405)"
|
||||
}
|
||||
],
|
||||
"data_format": "MITRE",
|
||||
"data_type": "CVE",
|
||||
"data_version": "4.0",
|
||||
"description": {
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
|
||||
"value": "In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log."
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"generator": {
|
||||
"engine": "Vulnogram 0.0.9"
|
||||
},
|
||||
"impact": {
|
||||
"cvss": {
|
||||
"attackComplexity": "HIGH",
|
||||
"attackVector": "LOCAL",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 4.7,
|
||||
"baseSeverity": "MEDIUM",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "NONE",
|
||||
"privilegesRequired": "LOW",
|
||||
"scope": "UNCHANGED",
|
||||
"userInteraction": "NONE",
|
||||
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
|
||||
"version": "3.1"
|
||||
}
|
||||
},
|
||||
"problemtype": {
|
||||
"problemtype_data": [
|
||||
{
|
||||
"description": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "CWE-532 Information Exposure Through Log Files"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"references": {
|
||||
"reference_data": [
|
||||
{
|
||||
"name": "https://github.com/kubernetes/kubernetes/issues/95621",
|
||||
"refsource": "CONFIRM",
|
||||
"url": "https://github.com/kubernetes/kubernetes/issues/95621"
|
||||
},
|
||||
{
|
||||
"name": "Multiple secret leaks when verbose logging is enabled",
|
||||
"refsource": "MLIST",
|
||||
"url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"
|
||||
}
|
||||
]
|
||||
},
|
||||
"source": {
|
||||
"defect": [
|
||||
"https://github.com/kubernetes/kubernetes/issues/95621"
|
||||
],
|
||||
"discovery": "EXTERNAL"
|
||||
},
|
||||
"work_around": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Do not enable verbose logging in production (log level >= 4), limit access to logs."
|
||||
}
|
||||
]
|
||||
}
|
@ -1,18 +1,115 @@
|
||||
{
|
||||
"data_type": "CVE",
|
||||
"data_format": "MITRE",
|
||||
"data_version": "4.0",
|
||||
"CVE_data_meta": {
|
||||
"ASSIGNER": "security@kubernetes.io",
|
||||
"DATE_PUBLIC": "2020-10-15T04:00:00.000Z",
|
||||
"ID": "CVE-2020-8564",
|
||||
"ASSIGNER": "cve@mitre.org",
|
||||
"STATE": "RESERVED"
|
||||
"STATE": "PUBLIC",
|
||||
"TITLE": "Docker config secrets leaked when file is malformed and loglevel >= 4"
|
||||
},
|
||||
"affects": {
|
||||
"vendor": {
|
||||
"vendor_data": [
|
||||
{
|
||||
"product": {
|
||||
"product_data": [
|
||||
{
|
||||
"product_name": "Kubernetes",
|
||||
"version": {
|
||||
"version_data": [
|
||||
{
|
||||
"version_affected": "<",
|
||||
"version_value": "1.19.3"
|
||||
},
|
||||
{
|
||||
"version_affected": "<",
|
||||
"version_value": "1.18.10"
|
||||
},
|
||||
{
|
||||
"version_affected": "<",
|
||||
"version_value": "1.17.13"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"vendor_name": "Kubernetes"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"credit": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Nikolaos Moraitis (Red Hat)"
|
||||
}
|
||||
],
|
||||
"data_format": "MITRE",
|
||||
"data_type": "CVE",
|
||||
"data_version": "4.0",
|
||||
"description": {
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
|
||||
"value": "In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials."
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"generator": {
|
||||
"engine": "Vulnogram 0.0.9"
|
||||
},
|
||||
"impact": {
|
||||
"cvss": {
|
||||
"attackComplexity": "HIGH",
|
||||
"attackVector": "LOCAL",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 4.7,
|
||||
"baseSeverity": "MEDIUM",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "NONE",
|
||||
"privilegesRequired": "LOW",
|
||||
"scope": "UNCHANGED",
|
||||
"userInteraction": "NONE",
|
||||
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
|
||||
"version": "3.1"
|
||||
}
|
||||
},
|
||||
"problemtype": {
|
||||
"problemtype_data": [
|
||||
{
|
||||
"description": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "CWE-532 Information Exposure Through Log Files"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"references": {
|
||||
"reference_data": [
|
||||
{
|
||||
"name": "https://github.com/kubernetes/kubernetes/issues/95622",
|
||||
"refsource": "CONFIRM",
|
||||
"url": "https://github.com/kubernetes/kubernetes/issues/95622"
|
||||
},
|
||||
{
|
||||
"name": "Multiple secret leaks when verbose logging is enabled",
|
||||
"refsource": "MLIST",
|
||||
"url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"
|
||||
}
|
||||
]
|
||||
},
|
||||
"source": {
|
||||
"defect": [
|
||||
"https://github.com/kubernetes/kubernetes/issues/95622"
|
||||
],
|
||||
"discovery": "EXTERNAL"
|
||||
},
|
||||
"work_around": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Do not enable verbose logging in production (log level >= 4), limit access to logs."
|
||||
}
|
||||
]
|
||||
}
|
@ -1,18 +1,119 @@
|
||||
{
|
||||
"data_type": "CVE",
|
||||
"data_format": "MITRE",
|
||||
"data_version": "4.0",
|
||||
"CVE_data_meta": {
|
||||
"ASSIGNER": "security@kubernetes.io",
|
||||
"DATE_PUBLIC": "2020-10-15T04:00:00.000Z",
|
||||
"ID": "CVE-2020-8565",
|
||||
"ASSIGNER": "cve@mitre.org",
|
||||
"STATE": "RESERVED"
|
||||
"STATE": "PUBLIC",
|
||||
"TITLE": "Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9"
|
||||
},
|
||||
"affects": {
|
||||
"vendor": {
|
||||
"vendor_data": [
|
||||
{
|
||||
"product": {
|
||||
"product_data": [
|
||||
{
|
||||
"product_name": "Kubernetes",
|
||||
"version": {
|
||||
"version_data": [
|
||||
{
|
||||
"version_affected": "<=",
|
||||
"version_value": "1.19.3"
|
||||
},
|
||||
{
|
||||
"version_affected": "<=",
|
||||
"version_value": "1.18.10"
|
||||
},
|
||||
{
|
||||
"version_affected": "<=",
|
||||
"version_value": "1.17.13"
|
||||
},
|
||||
{
|
||||
"version_affected": "<",
|
||||
"version_value": "1.20.0-alpha2"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"vendor_name": "Kubernetes"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"credit": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Patrick Rhomberg (purelyapplied)"
|
||||
}
|
||||
],
|
||||
"data_format": "MITRE",
|
||||
"data_type": "CVE",
|
||||
"data_version": "4.0",
|
||||
"description": {
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
|
||||
"value": "In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl."
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"generator": {
|
||||
"engine": "Vulnogram 0.0.9"
|
||||
},
|
||||
"impact": {
|
||||
"cvss": {
|
||||
"attackComplexity": "HIGH",
|
||||
"attackVector": "LOCAL",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 4.7,
|
||||
"baseSeverity": "MEDIUM",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "NONE",
|
||||
"privilegesRequired": "LOW",
|
||||
"scope": "UNCHANGED",
|
||||
"userInteraction": "NONE",
|
||||
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
|
||||
"version": "3.1"
|
||||
}
|
||||
},
|
||||
"problemtype": {
|
||||
"problemtype_data": [
|
||||
{
|
||||
"description": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "CWE-532 Information Exposure Through Log Files"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"references": {
|
||||
"reference_data": [
|
||||
{
|
||||
"name": "https://github.com/kubernetes/kubernetes/issues/95623",
|
||||
"refsource": "CONFIRM",
|
||||
"url": "https://github.com/kubernetes/kubernetes/issues/95623"
|
||||
},
|
||||
{
|
||||
"name": "Multiple secret leaks when verbose logging is enabled",
|
||||
"refsource": "MLIST",
|
||||
"url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"
|
||||
}
|
||||
]
|
||||
},
|
||||
"source": {
|
||||
"defect": [
|
||||
"https://github.com/kubernetes/kubernetes/issues/95623"
|
||||
],
|
||||
"discovery": "EXTERNAL"
|
||||
},
|
||||
"work_around": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Do not enable verbose logging in production (log level >= 9), limit access to logs."
|
||||
}
|
||||
]
|
||||
}
|
@ -1,18 +1,115 @@
|
||||
{
|
||||
"data_type": "CVE",
|
||||
"data_format": "MITRE",
|
||||
"data_version": "4.0",
|
||||
"CVE_data_meta": {
|
||||
"ASSIGNER": "security@kubernetes.io",
|
||||
"DATE_PUBLIC": "2020-10-15T04:00:00.000Z",
|
||||
"ID": "CVE-2020-8566",
|
||||
"ASSIGNER": "cve@mitre.org",
|
||||
"STATE": "RESERVED"
|
||||
"STATE": "PUBLIC",
|
||||
"TITLE": "Ceph RBD adminSecrets exposed in logs when loglevel >= 4 "
|
||||
},
|
||||
"affects": {
|
||||
"vendor": {
|
||||
"vendor_data": [
|
||||
{
|
||||
"product": {
|
||||
"product_data": [
|
||||
{
|
||||
"product_name": "Kubernetes",
|
||||
"version": {
|
||||
"version_data": [
|
||||
{
|
||||
"version_affected": "<",
|
||||
"version_value": "1.19.3"
|
||||
},
|
||||
{
|
||||
"version_affected": "<",
|
||||
"version_value": "1.18.10"
|
||||
},
|
||||
{
|
||||
"version_affected": "<",
|
||||
"version_value": "1.17.13"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"vendor_name": "Kubernetes"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"credit": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Kaizhe Huang (derek0405)"
|
||||
}
|
||||
],
|
||||
"data_format": "MITRE",
|
||||
"data_type": "CVE",
|
||||
"data_version": "4.0",
|
||||
"description": {
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
|
||||
"value": "In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims."
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"generator": {
|
||||
"engine": "Vulnogram 0.0.9"
|
||||
},
|
||||
"impact": {
|
||||
"cvss": {
|
||||
"attackComplexity": "HIGH",
|
||||
"attackVector": "LOCAL",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 4.7,
|
||||
"baseSeverity": "MEDIUM",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "NONE",
|
||||
"privilegesRequired": "LOW",
|
||||
"scope": "UNCHANGED",
|
||||
"userInteraction": "NONE",
|
||||
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
|
||||
"version": "3.1"
|
||||
}
|
||||
},
|
||||
"problemtype": {
|
||||
"problemtype_data": [
|
||||
{
|
||||
"description": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "CWE-532 Information Exposure Through Log Files"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"references": {
|
||||
"reference_data": [
|
||||
{
|
||||
"name": "https://github.com/kubernetes/kubernetes/issues/95624",
|
||||
"refsource": "CONFIRM",
|
||||
"url": "https://github.com/kubernetes/kubernetes/issues/95624"
|
||||
},
|
||||
{
|
||||
"name": "Multiple secret leaks when verbose logging is enabled",
|
||||
"refsource": "MLIST",
|
||||
"url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"
|
||||
}
|
||||
]
|
||||
},
|
||||
"source": {
|
||||
"defect": [
|
||||
"https://github.com/kubernetes/kubernetes/issues/95624"
|
||||
],
|
||||
"discovery": "EXTERNAL"
|
||||
},
|
||||
"work_around": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Do not enable verbose logging in production (log level >= 4), limit access to logs."
|
||||
}
|
||||
]
|
||||
}
|
Loading…
x
Reference in New Issue
Block a user