CVE-2019-10223

A security issue was discovered in the kube-state-metrics versions v1.7.0 and v1.7.1. An experimental feature was added to the v1.7.0 release that enabled annotations to be exposed as metrics. By default, the kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default `kubectl` behavior and this new feature can cause the entire secret content to end up in metric labels thus inadvertently exposing the secret content in metrics. This feature has been reverted and released as the v1.7.2 release. If you are running the v1.7.0 or v1.7.1 release, please upgrade to the v1.7.2 release as soon as possible.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.openwall.com/lists/oss-security/2019/08/15/8
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10223	Issue Tracking Vendor Advisory
https://github.com/kubernetes/kube-state-metrics/releases/tag/v1.7.2
https://www.openwall.com/lists/oss-security/2019/08/09/1	Exploit Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/08/15/8
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10223	Issue Tracking Vendor Advisory
https://github.com/kubernetes/kube-state-metrics/releases/tag/v1.7.2
https://www.openwall.com/lists/oss-security/2019/08/09/1	Exploit Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:kubernetes:kube-state-metrics:1.7.0:::::::*
	cpe:2.3:a:kubernetes:kube-state-metrics:1.7.1:::::::*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:redhat:openshift_container_platform:3.11:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.1:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.2:::::::*

History

21 Nov 2024, 04:18

Type	Values Removed	Values Added
References	~~() http://www.openwall.com/lists/oss-security/2019/08/15/8 -~~	() http://www.openwall.com/lists/oss-security/2019/08/15/8 -
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10223 - Issue Tracking, Vendor Advisory~~	() https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10223 - Issue Tracking, Vendor Advisory
References	~~() https://github.com/kubernetes/kube-state-metrics/releases/tag/v1.7.2 -~~	() https://github.com/kubernetes/kube-state-metrics/releases/tag/v1.7.2 -
References	~~() https://www.openwall.com/lists/oss-security/2019/08/09/1 - Exploit, Mailing List, Third Party Advisory~~	() https://www.openwall.com/lists/oss-security/2019/08/09/1 - Exploit, Mailing List, Third Party Advisory

Information

Published : 2019-11-05 12:15

Updated : 2024-11-21 04:18

NVD link : CVE-2019-10223

Mitre link : CVE-2019-10223

CVE.ORG link : CVE-2019-10223

JSON object : View

Products Affected

linux

linux_kernel

kubernetes

kube-state-metrics

redhat

openshift_container_platform

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2019-10223

6.5^/10

4.0^/10

Attach tags to `CVE-2019-10223`