mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-08-04 08:44:25 +00:00
115 lines
3.9 KiB
JSON
115 lines
3.9 KiB
JSON
{
|
|
"CVE_data_meta": {
|
|
"ASSIGNER": "security@kubernetes.io",
|
|
"DATE_PUBLIC": "2020-10-15T04:00:00.000Z",
|
|
"ID": "CVE-2020-8565",
|
|
"STATE": "PUBLIC",
|
|
"TITLE": "Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9"
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"vendor_name": "Kubernetes",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "Kubernetes",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_value": "<= 1.19.3"
|
|
},
|
|
{
|
|
"version_value": "<= 1.18.10"
|
|
},
|
|
{
|
|
"version_value": "<= 1.17.13"
|
|
},
|
|
{
|
|
"version_value": "< 1.20.0-alpha2"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"credit": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Patrick Rhomberg (purelyapplied)"
|
|
}
|
|
],
|
|
"data_format": "MITRE",
|
|
"data_type": "CVE",
|
|
"data_version": "4.0",
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2."
|
|
}
|
|
]
|
|
},
|
|
"generator": {
|
|
"engine": "Vulnogram 0.0.9"
|
|
},
|
|
"impact": {
|
|
"cvss": {
|
|
"attackComplexity": "HIGH",
|
|
"attackVector": "LOCAL",
|
|
"availabilityImpact": "NONE",
|
|
"baseScore": 4.7,
|
|
"baseSeverity": "MEDIUM",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "NONE",
|
|
"privilegesRequired": "LOW",
|
|
"scope": "UNCHANGED",
|
|
"userInteraction": "NONE",
|
|
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
|
|
"version": "3.1"
|
|
}
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "CWE-532 Information Exposure Through Log Files"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"name": "Multiple secret leaks when verbose logging is enabled",
|
|
"refsource": "MLIST",
|
|
"url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"
|
|
},
|
|
{
|
|
"name": "https://github.com/kubernetes/kubernetes/issues/95623",
|
|
"refsource": "CONFIRM",
|
|
"url": "https://github.com/kubernetes/kubernetes/issues/95623"
|
|
}
|
|
]
|
|
},
|
|
"source": {
|
|
"defect": [
|
|
"https://github.com/kubernetes/kubernetes/issues/95623"
|
|
],
|
|
"discovery": "EXTERNAL"
|
|
},
|
|
"work_around": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Do not enable verbose logging in production (log level >= 9), limit access to logs."
|
|
}
|
|
]
|
|
} |