blob: 70fc1873fd1c9e4e2a7b8b321176a9b110223cad [file] [log] [blame]
id: GO-2021-0064
modules:
- module: k8s.io/client-go
versions:
- fixed: 0.20.0-alpha.2
vulnerable_at: 0.20.0-alpha.1
packages:
- package: k8s.io/client-go/transport
symbols:
- requestInfo.toCurl
derived_symbols:
- basicAuthRoundTripper.RoundTrip
- bearerAuthRoundTripper.RoundTrip
- debuggingRoundTripper.RoundTrip
- impersonatingRoundTripper.RoundTrip
- userAgentRoundTripper.RoundTrip
summary: |-
Unauthorized credential disclosure via debug logs in k8s.io/kubernetes and
k8s.io/client-go
description: |-
Authorization tokens may be inappropriately logged if the verbosity level is set
to a debug level. This is due to an incomplete fix for CVE-2019-11250.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2020-8565
ghsas:
- GHSA-8cfg-vx93-jvxw
credits:
- '@sfowl'
references:
- fix: https://github.com/kubernetes/kubernetes/pull/95316
- fix: https://github.com/kubernetes/kubernetes/commit/e99df0e5a75eb6e86123b56d53e9b7ca0fd00419
- web: https://github.com/kubernetes/kubernetes/issues/95623
review_status: REVIEWED