This advisory has been withdrawn because it is a duplicate of GHSA-c92w-72c5-9x59. This link is maintained to preserve external references.
A security issue was discovered in kube-state-metrics 1.7.x before 1.7.2. An experimental feature was added to v1.7.0 and v1.7.1 that enabled annotations to be exposed as metrics. By default, kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels, thus inadvertently exposing the secret content in metrics.
Vendor | Product | Version | CPE |
---|---|---|---|
k8s.io | kube-state-metrics | * | cpe:2.3:a:k8s.io:kube-state-metrics:*:*:*:*:*:*:*:* |
kubernetes | kube-state-metrics | * | cpe:2.3:a:kubernetes:kube-state-metrics:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-2v6x-frw8-7r7f
github.com/kubernetes/kube-state-metrics/commit/03122fe3e2df49a9a7298b8af921d3c37c430f7f
github.com/kubernetes/kube-state-metrics/commit/2a9ab3a9a0f1c4dbecb6a5577185b33bfac86a96
github.com/kubernetes/kube-state-metrics/releases/tag/v1.7.2
nvd.nist.gov/vuln/detail/CVE-2019-17110