Duplicate Advisory: k8s.io/kube-state-metrics Exposure of Sensitive Information

2021-05-1815:38:54

CWE-200

GitHub Advisory Database

github.com

kube-state-metrics

experimental feature

annotations

metrics

secrets

kubectl

secret content

security issue

AI Score

7.3

Confidence

High

EPSS

0.002

Percentile

64.3%

JSON

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-c92w-72c5-9x59. This link is maintained to preserve external references.

Original Description

A security issue was discovered in kube-state-metrics 1.7.x before 1.7.2. An experimental feature was added to v1.7.0 and v1.7.1 that enabled annotations to be exposed as metrics. By default, kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels, thus inadvertently exposing the secret content in metrics.

Affected configurations

Vulners

Node

k8s.iokube-state-metricsRange<1.7.2

kuberneteskube-state-metricsRange<1.7.2

VendorProductVersionCPE
k8s.iokube-state-metrics*cpe:2.3:a:k8s.io:kube-state-metrics:*:*:*:*:*:*:*:*
kuberneteskube-state-metrics*cpe:2.3:a:kubernetes:kube-state-metrics:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
k8s.io	kube-state-metrics	*	cpe:2.3:a:k8s.io:kube-state-metrics::::::::
kubernetes	kube-state-metrics	*	cpe:2.3:a:kubernetes:kube-state-metrics::::::::