The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.
2019-08-29T01:15:11.523
2024-11-21T04:20:48.343
Modified
CVSSv3.1: 6.5 (MEDIUM)
AV:N/AC:M/Au:S/C:P/I:N/A:N
6.8
2.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | kubernetes | kubernetes | < 1.15.3 | Yes |
| Application | kubernetes | kubernetes | 1.15.3 | Yes |
| Application | kubernetes | kubernetes | 1.15.4 | Yes |
| Application | kubernetes | kubernetes | 1.16.0 | Yes |
| Application | kubernetes | kubernetes | 1.16.0 | Yes |
| Application | kubernetes | kubernetes | 1.16.0 | Yes |
| Application | kubernetes | kubernetes | 1.16.0 | Yes |
| Application | kubernetes | kubernetes | 1.16.0 | Yes |
| Application | redhat | openshift_container_platform | 3.11 | Yes |
| Application | redhat | openshift_container_platform | 4.1 | Yes |