Lucene search
GoogleOSV:GHSA-2V6X-FRW8-7R7FHistoryMay 18, 2021 - 3:38 p.m.
Exposure of Sensitive Information to an Unauthorized Actor in kube-state-metrics
2021-05-1815:38:54
Google
osv.dev
13
security issue
kube-state-metrics
unauthorized actor
experimental feature
annotations
metrics
secret content
metadata
default behavior
kubectl
metric labels
EPSS
0.002
Percentile
64.3%
A security issue was discovered in kube-state-metrics 1.7.x before 1.7.2. An experimental feature was added to v1.7.0 and v1.7.1 that enabled annotations to be exposed as metrics. By default, kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels, thus inadvertently exposing the secret content in metrics.
Related
cvelist
cvelist
CVE-2019-17110
2019-10-03 19:21:51
github
github
osv
osv
CVE-2019-10223
2019-11-05 12:15:10
kube-state-metrics may expose secret content in metrics
2022-05-24 17:00:21
Exposure of sensitive information in k8s.io/kube-state-metrics
2021-05-18 15:38:54
nvd
nvd
CVE-2019-17110
2019-10-03 20:15:10
cve
cve
CVE-2019-17110
2019-10-03 20:15:10
