x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-gc2p-g4fg-29vh

[GoVulnBot]

Advisory GHSA-gc2p-g4fg-29vh references a vulnerability in the following Go modules:

Module
k8s.io/kubernetes

Description:
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()

References:

• ADVISORY: GHSA-gc2p-g4fg-29vh
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2019-11243
• REPORT: CVE-2019-11243: v1.12.0-v1.12.4, v1.13.0: rest.AnonymousClientConfig() does not remove the serviceaccount credentials from config created by rest.InClusterConfig() kubernetes/kubernetes#76797
• WEB: https://security.netapp.com/advisory/ntap-20190509-0002

Cross references:

• k8s.io/kubernetes appears in 45 other report(s):
  • data/excluded/GO-2022-0904.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8561, GHSA-74j8-88mm-7496 #904) NOT_IMPORTABLE
  • data/excluded/GO-2022-0909.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25740, GHSA-vw47-mr44-3jf9 #909) NOT_IMPORTABLE
  • data/excluded/GO-2022-0940.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8554, GHSA-j9wf-vvm6-4r9w #940) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1943.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-f4w6-3rh6-6q4q #1943) EFFECTIVELY_PRIVATE
  • data/reports/GO-2021-0066.yaml (dummy issue #66)
  • data/reports/GO-2022-0617.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-qh36-44jv-c8xj #617)
  • data/reports/GO-2022-0701.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-jp32-vmm6-3vf5 #701)
  • data/reports/GO-2022-0703.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/apiserver: GHSA-pmqp-h87c-mr78 #703)
  • data/reports/GO-2022-0782.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp: GHSA-34jx-wx69-9x8v #782)
  • data/reports/GO-2022-0802.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp: GHSA-6qfg-8799-r575 #802)
  • data/reports/GO-2022-0867.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubelet/server: GHSA-qhm4-jxv7-j9pq #867)
  • data/reports/GO-2022-0885.yaml (x/vulndb: potential Go vuln in k8s.io/kube-proxy: GHSA-wqv3-8cm6-h6wg #885)
  • data/reports/GO-2022-0886.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/util/mount: GHSA-wqwf-x5cj-rg56 #886)
  • data/reports/GO-2022-0890.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/volume/storageos: GHSA-x6mj-w4jf-jmgw #890)
  • data/reports/GO-2022-0907.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25735, GHSA-g42g-737j-qx6j #907)
  • data/reports/GO-2022-0908.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25737, GHSA-mfv7-gq43-w965 #908)
  • data/reports/GO-2022-0910.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25741, GHSA-f5f7-6478-qm6p #910)
  • data/reports/GO-2022-0983.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/kubectl: CVE-2021-25743, GHSA-f9jg-8p32-2f55 #983)
  • data/reports/GO-2023-1492.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2jx2-76rc-2v7v #1492)
  • data/reports/GO-2023-1628.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-2394-5535-8j88 #1628)
  • data/reports/GO-2023-1629.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-jh36-q97c-9928 #1629)
  • data/reports/GO-2023-1864.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-xc8m-28vv-4pjc #1864)
  • data/reports/GO-2023-1891.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-qc2g-gmh6-95p4 #1891)
  • data/reports/GO-2023-1892.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-cgcv-5272-97pr #1892)
  • data/reports/GO-2023-1946.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-q4rr-64r9-fwgf #1946)
  • data/reports/GO-2023-1959.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2jq6-ffph-p4h8 #1959)
  • data/reports/GO-2023-1977.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-mm7g-f2gg-cw8g #1977)
  • data/reports/GO-2023-1985.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2h9c-34v6-3qmr #1985)
  • data/reports/GO-2023-2159.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: CVE-2021-25736 #2159)
  • data/reports/GO-2023-2170.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-q78c-gwqw-jcmc #2170)
  • data/reports/GO-2023-2330.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-7fxm-f474-hf8w #2330)
  • data/reports/GO-2023-2341.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-hq6q-c2x6-hmch #2341)
  • data/reports/GO-2024-2746.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-pxhw-596r-rwq5 #2746)
  • data/reports/GO-2024-2748.yaml (x/vulndb: potential Go vuln in k8s.io/apimachinery: GHSA-33c5-9fx5-fvjm #2748)
  • data/reports/GO-2024-2753.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/kubelet: GHSA-55qj-gj3x-jq9r #2753)
  • data/reports/GO-2024-2754.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-5x96-j797-5qqw #2754)
  • data/reports/GO-2024-2755.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-5xfg-wv98-264m #2755)
  • data/reports/GO-2024-2780.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes/cmd/kubelet: GHSA-r76g-g87f-vw8f #2780)
  • data/reports/GO-2024-2994.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-82m2-cv7p-4m75 #2994)
  • data/reports/GO-2024-3277.yaml (x/vulndb: potential Go vuln in github.com/openshift/kubernetes: CVE-2024-0793 #3277)
  • data/reports/GO-2024-3286.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-27wf-5967-98gx #3286)
  • data/reports/GO-2025-3465.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-jgfp-53c3-624w #3465)
  • data/reports/GO-2025-3521.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: CVE-2025-1767 #3521)
  • data/reports/GO-2025-3522.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-vv39-3w5q-974q #3522)
  • data/reports/GO-2025-3547.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes/cmd/kube-apiserver: GHSA-r56h-j38w-hrqq #3547)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: k8s.io/kubernetes
      versions:
        - introduced: 1.12.0
        - fixed: 1.12.5
        - introduced: 1.13.0
        - fixed: 1.13.1
      vulnerable_at: 1.13.1-beta.0
summary: Kubernetes did not effectively clear service account credentials in k8s.io/kubernetes
cves:
    - CVE-2019-11243
ghsas:
    - GHSA-gc2p-g4fg-29vh
references:
    - advisory: https://github.com/advisories/GHSA-gc2p-g4fg-29vh
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2019-11243
    - report: https://github.com/kubernetes/kubernetes/issues/76797
    - web: https://security.netapp.com/advisory/ntap-20190509-0002
source:
    id: GHSA-gc2p-g4fg-29vh
    created: 2025-04-24T18:02:05.056825008Z
review_status: UNREVIEWED