Kubernetes Sensitive Information leak via Log File · CVE-2020-8564 · GitHub Advisory Database · GitHub

Kubernetes Sensitive Information leak via Log File

Moderate severity GitHub Reviewed Published Feb 6, 2023 to the GitHub Advisory Database • Updated May 20, 2024

Package

github.com/kubernetes/kubernetes (Go)

Affected versions

>= 1.19.0, < 1.19.3

>= 1.18.0, < 1.18.10

< 1.17.13

Patched versions

1.19.3

1.18.10

1.17.13

k8s.io/kubernetes (Go)

< 1.20.0-alpha.1

1.20.0-alpha.1

Description

In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13.

References

Published to the GitHub Advisory Database Feb 6, 2023

Reviewed Feb 6, 2023

Last updated May 20, 2024

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Local

Attack complexity

High

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N