{"containers": {"cna": {"affected": [{"product": "Kubernetes", "vendor": "Kubernetes", "versions": [{"status": "affected", "version": "<= 1.19.3"}, {"status": "affected", "version": "<= 1.18.10"}, {"status": "affected", "version": "<= 1.17.13"}, {"status": "affected", "version": "< 1.20.0-alpha2"}]}], "credits": [{"lang": "en", "value": "Patrick Rhomberg (purelyapplied)"}], "datePublic": "2020-10-15T00:00:00", "descriptions": [{"lang": "en", "value": "In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532 Information Exposure Through Log Files", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-07T22:00:19", "orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes"}, "references": [{"name": "Multiple secret leaks when verbose logging is enabled", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kubernetes/kubernetes/issues/95623"}], "source": {"defect": ["https://github.com/kubernetes/kubernetes/issues/95623"], "discovery": "EXTERNAL"}, "title": "Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9", "workarounds": [{"lang": "en", "value": "Do not enable verbose logging in production (log level >= 9), limit access to logs."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@kubernetes.io", "DATE_PUBLIC": "2020-10-15T04:00:00.000Z", "ID": "CVE-2020-8565", "STATE": "PUBLIC", "TITLE": "Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kubernetes", "version": {"version_data": [{"version_value": "<= 1.19.3"}, {"version_value": "<= 1.18.10"}, {"version_value": "<= 1.17.13"}, {"version_value": "< 1.20.0-alpha2"}]}}]}, "vendor_name": "Kubernetes"}]}}, "credit": [{"lang": "eng", "value": "Patrick Rhomberg (purelyapplied)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-532 Information Exposure Through Log Files"}]}]}, "references": {"reference_data": [{"name": "Multiple secret leaks when verbose logging is enabled", "refsource": "MLIST", "url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"}, {"name": "https://github.com/kubernetes/kubernetes/issues/95623", "refsource": "CONFIRM", "url": "https://github.com/kubernetes/kubernetes/issues/95623"}]}, "source": {"defect": ["https://github.com/kubernetes/kubernetes/issues/95623"], "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Do not enable verbose logging in production (log level >= 9), limit access to logs."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:03:46.382Z"}, "title": "CVE Program Container", "references": [{"name": "Multiple secret leaks when verbose logging is enabled", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/kubernetes/kubernetes/issues/95623"}]}]}, "cveMetadata": {"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "assignerShortName": "kubernetes", "cveId": "CVE-2020-8565", "datePublished": "2020-12-07T22:00:19.374983Z", "dateReserved": "2020-02-03T00:00:00", "dateUpdated": "2024-09-17T00:05:58.669Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "BAC4DF80-12A5-482D-88C8-1939A015FBE4", "versionEndIncluding": "1.17.13", "versionStartIncluding": "1.17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "57F3AFC9-8D1D-4870-B40E-5A2CFEB2388E", "versionEndIncluding": "1.18.10", "versionStartIncluding": "1.18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "13CE6526-CD5D-4B0D-AE8C-20E113F2D412", "versionEndIncluding": "1.19.3", "versionStartIncluding": "1.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2."}, {"lang": "es", "value": "En Kubernetes, si el nivel de registro se establece en al menos 9, los tokens de autorizaci\u00f3n y portador se escribir\u00e1n en los archivos de registro. Esto puede ocurrir tanto en los registros del servidor API como en la salida de la herramienta cliente como kubectl. Esto afecta a versiones anteriores e iguales a v1.19.3, versiones anteriores e iguales a v1.18.10, versiones anteriores e iguales a v1.17.13, versiones anteriores a v1.20.0-alpha2"}], "id": "CVE-2020-8565", "lastModified": "2020-12-08T19:51:09.167", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "jordan@liggitt.net", "type": "Secondary"}]}, "published": "2020-12-07T22:15:21.400", "references": [{"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/95623"}, {"source": "jordan@liggitt.net", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "jordan@liggitt.net", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank the Kubernetes Product Security Committee for reporting this issue. Upstream acknowledges Patrick Rhomberg (purelyapplied) as the original reporter.", "affected_release": [{"advisory": "RHSA-2021:2041", "cpe": "cpe:/a:redhat:openshift_container_storage:4.7::el8", "package": "ocs4/rook-ceph-rhel8-operator:4.7-140.49a6fcf.release_4.7", "product_name": "Red Hat OpenShift Container Storage 4.7.0 on RHEL-8", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package": "ocs4/cephcsi-rhel8:4.8-125.01872cc.release_4.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package": "ocs4/mcg-core-rhel8:5.8.0-38.e060925.5.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package": "ocs4/mcg-rhel8-operator:5.8.0-27.4a6ca5f.5.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package": "ocs4/ocs-must-gather-rhel8:4.8-196.a35d7d7.release_4.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package": "ocs4/ocs-operator-bundle:4.8.0-5", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package": "ocs4/ocs-rhel8-operator:4.8-196.a35d7d7.release_4.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package": "ocs4/rook-ceph-rhel8-operator:4.8-167.9a9db5f.release_4.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package": "ocs4/volume-replication-rhel8-operator:4.8-20.ab575a2.release_v0.1", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHSA-2021:5085", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "mcg-0:5.9.0-28.61dcf87.5.9.el8", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/cephcsi-rhel8:4.9-164.57484e3.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/ocs-must-gather-rhel8:4.9-257.4181add.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/ocs-operator-bundle:4.9.0-5", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/ocs-rhel8-operator:4.9-257.4181add.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odf-console-rhel8:4.9-39.0f2fa23.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odf-multicluster-operator-bundle:4.9.0-5", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odf-multicluster-rhel8-operator:4.9-30.007b3d8.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odf-operator-bundle:4.9.0-5", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odf-rhel8-operator:4.9-59.c8bbc1f.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odr-cluster-operator-bundle:4.9.0-5", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odr-hub-operator-bundle:4.9.0-5", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odr-rhel8-operator:4.9-27.3d037cc.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/rook-ceph-rhel8-operator:4.9-219.c3f67c6.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/volume-replication-rhel8-operator:4.9-28.82f68db.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf/odf-multicluster-rhel8-operator:4.9-30.007b3d8.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}], "bugzilla": {"description": "kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9", "id": "1886638", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886638"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-117", "details": ["In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.", "A flaw was found in kubernetes. In Kubernetes, if the logging level is to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like `kubectl`. Previously, CVE-2019-11250 was assigned for the same issue for logging levels of at least 4."], "name": "CVE-2020-8565", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-hyperkube", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-clients", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "package_name": "mcg", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "heketi", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "rhgs3/rhgs-gluster-block-prov-rhel7", "product_name": "Red Hat Storage 3"}], "public_date": "2020-10-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8565\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8565\nhttps://github.com/kubernetes/kubernetes/issues/95623\nhttps://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk"], "statement": "OpenShift Container Platform 4 does not support LogLevels higher than 8 (via 'TraceAll'), and is therefore not affected by this vulnerability.", "threat_severity": "Moderate", "upstream_fix": "kubernetes 1.20.0, kubernetes 1.19.6, kubernetes 1.18.14, kubernetes 1.17.16"}