blob: 1456babc07445de171d38c0256145e5c3b130762 [file] [log] [blame]
id: GO-2021-0064
modules:
- module: k8s.io/client-go
versions:
- fixed: 0.20.0-alpha.2
vulnerable_at: 0.20.0-alpha.1
packages:
- package: k8s.io/client-go/transport
symbols:
- requestInfo.toCurl
derived_symbols:
- basicAuthRoundTripper.RoundTrip
- bearerAuthRoundTripper.RoundTrip
- debuggingRoundTripper.RoundTrip
- impersonatingRoundTripper.RoundTrip
- userAgentRoundTripper.RoundTrip
- module: k8s.io/kubernetes
versions:
- fixed: 1.20.0-alpha.2
vulnerable_at: 1.20.0-alpha.1
packages:
- package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
symbols:
- requestInfo.toCurl
skip_fix: 'TODO: revisit this reason (module does not contain package k8s.io/kubernetes/staging/src/k8s.io/client-go/transport)'
summary: |-
Unauthorized credential disclosure via debug logs in k8s.io/kubernetes and
k8s.io/client-go
description: |-
Authorization tokens may be inappropriately logged if the verbosity level is set
to a debug level. This is due to an incomplete fix for CVE-2019-11250.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2020-8565
ghsas:
- GHSA-8cfg-vx93-jvxw
credits:
- '@sfowl'
references:
- fix: https://github.com/kubernetes/kubernetes/pull/95316
- fix: https://github.com/kubernetes/kubernetes/commit/e99df0e5a75eb6e86123b56d53e9b7ca0fd00419
- web: https://github.com/kubernetes/kubernetes/issues/95623
review_status: REVIEWED