Information Exposure

Affecting github.com/kubernetes/kube-state-metrics package, versions >=1.7.0 <1.7.2

Do your applications use this vulnerable package? Test your applications

Overview

github.com/kubernetes/kube-state-metrics is a simple service that listens to the Kubernetes API server and generates metrics about the state of the objects.

Affected versions of this package are vulnerable to Information Exposure. An experimental feature that enabled annotations to be exposed as metrics. By default, kube-state-metrics metrics only expose metadata about Secrets. Default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels and therefore exposing the secret content in metrics.

Remediation

Upgrade github.com/kubernetes/kube-state-metrics to version 1.7.2 or higher.

References

CVSS Score

8.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/RL:O/RC:C
Credit
Unknown
CVE
CVE-2019-17110
CWE
CWE-200
Snyk ID
SNYK-GOLANG-GITHUBCOMKUBERNETESKUBESTATEMETRICS-471888
Disclosed
03 Oct, 2019
Published
03 Oct, 2019