Lucene search

RedhatCVE-2019-10223

HistoryNov 05, 2019 - 12:15 p.m.

CVE-2019-10223

2019-11-0512:15:10

CWE-200

redhat

web.nvd.nist.gov

security issue

kube-state-metrics

v1.7.0

v1.7.1

v1.7.2

secret content

metrics

nvd

cve-2019-10223

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

48.9%

JSON

A security issue was discovered in the kube-state-metrics versions v1.7.0 and v1.7.1. An experimental feature was added to the v1.7.0 release that enabled annotations to be exposed as metrics. By default, the kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels thus inadvertently exposing the secret content in metrics. This feature has been reverted and released as the v1.7.2 release. If you are running the v1.7.0 or v1.7.1 release, please upgrade to the v1.7.2 release as soon as possible.

Affected configurations

Nvd

Vulners

Node

linuxlinux_kernelMatch-

AND

kuberneteskube-state-metricsMatch1.7.0

kuberneteskube-state-metricsMatch1.7.1

Node

redhatopenshift_container_platformMatch3.11

redhatopenshift_container_platformMatch4.1

redhatopenshift_container_platformMatch4.2

VendorProductVersionCPE
linuxlinux_kernel-cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
kuberneteskube-state-metrics1.7.0cpe:2.3:a:kubernetes:kube-state-metrics:1.7.0:*:*:*:*:*:*:*
kuberneteskube-state-metrics1.7.1cpe:2.3:a:kubernetes:kube-state-metrics:1.7.1:*:*:*:*:*:*:*
redhatopenshift_container_platform3.11cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
redhatopenshift_container_platform4.1cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*
redhatopenshift_container_platform4.2cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
linux	linux_kernel	-	cpe:2.3:o:linux:linux_kernel:-:::::::*
kubernetes	kube-state-metrics	1.7.0	cpe:2.3:a:kubernetes:kube-state-metrics:1.7.0:::::::*
kubernetes	kube-state-metrics	1.7.1	cpe:2.3:a:kubernetes:kube-state-metrics:1.7.1:::::::*
redhat	openshift_container_platform	3.11	cpe:2.3:a:redhat:openshift_container_platform:3.11:::::::*
redhat	openshift_container_platform	4.1	cpe:2.3:a:redhat:openshift_container_platform:4.1:::::::*
redhat	openshift_container_platform	4.2	cpe:2.3:a:redhat:openshift_container_platform:4.2:::::::*

CNA Affected

[
  {
    "product": "kube-state-metrics",
    "vendor": "Red Hat",
    "versions": [
      {
        "status": "affected",
        "version": "kube-state-metrics versions v1.7.0 and v1.7.1"
      }
    ]
  }
]

References

www.openwall.com/lists/oss-security/2019/08/15/8

bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10223

github.com/kubernetes/kube-state-metrics/releases/tag/v1.7.2

www.openwall.com/lists/oss-security/2019/08/09/1

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

48.9%

JSON

Related for CVE-2019-10223