| id: GO-2021-0064 |
| modules: |
| - module: k8s.io/client-go |
| versions: |
| - fixed: 0.20.0-alpha.2 |
| vulnerable_at: 0.20.0-alpha.1 |
| packages: |
| - package: k8s.io/client-go/transport |
| symbols: |
| - requestInfo.toCurl |
| derived_symbols: |
| - basicAuthRoundTripper.RoundTrip |
| - bearerAuthRoundTripper.RoundTrip |
| - debuggingRoundTripper.RoundTrip |
| - impersonatingRoundTripper.RoundTrip |
| - userAgentRoundTripper.RoundTrip |
| - module: k8s.io/kubernetes |
| versions: |
| - fixed: 1.20.0-alpha.2 |
| vulnerable_at: 1.20.0-alpha.1 |
| packages: |
| - package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport |
| symbols: |
| - requestInfo.toCurl |
| skip_fix: 'TODO: revisit this reason (module does not contain package k8s.io/kubernetes/staging/src/k8s.io/client-go/transport)' |
| summary: |- |
| Unauthorized credential disclosure via debug logs in k8s.io/kubernetes and |
| k8s.io/client-go |
| description: |- |
| Authorization tokens may be inappropriately logged if the verbosity level is set |
| to a debug level. This is due to an incomplete fix for CVE-2019-11250. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2020-8565 |
| ghsas: |
| - GHSA-8cfg-vx93-jvxw |
| credits: |
| - '@sfowl' |
| references: |
| - fix: https://github.com/kubernetes/kubernetes/pull/95316 |
| - fix: https://github.com/kubernetes/kubernetes/commit/e99df0e5a75eb6e86123b56d53e9b7ca0fd00419 |
| - web: https://github.com/kubernetes/kubernetes/issues/95623 |
| review_status: REVIEWED |