data/reports/GO-2021-0065.yaml - vulndb - Git at Google

 id: GO-2021-0065
 modules:
     - module: k8s.io/client-go
       versions:
         - fixed: 0.17.0
       vulnerable_at: 0.16.16-rc.0
       packages:
         - package: k8s.io/client-go/transport
           symbols:
             - debuggingRoundTripper.RoundTrip
           derived_symbols:
             - basicAuthRoundTripper.RoundTrip
             - bearerAuthRoundTripper.RoundTrip
             - impersonatingRoundTripper.RoundTrip
             - userAgentRoundTripper.RoundTrip
     - module: k8s.io/kubernetes
       versions:
         - fixed: 1.16.0-beta.1
       vulnerable_at: 1.16.0-beta.0
       packages:
         - package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
           symbols:
             - debuggingRoundTripper.RoundTrip
           skip_fix: 'TODO: revisit this reason (module does not contain package k8s.io/kubernetes/staging/src/k8s.io/client-go/transport)'
 summary: Unauthorized credential disclosure in k8s.io/kubernetes and k8s.io/client-go
 description: |-
     Authorization tokens may be inappropriately logged if the verbosity level is set
     to a debug level.
 published: 2021-04-14T20:04:52Z
 cves:
     - CVE-2019-11250
 ghsas:
     - GHSA-jmrx-5g74-6v2f
 references:
     - fix: https://github.com/kubernetes/kubernetes/pull/81330
     - fix: https://github.com/kubernetes/kubernetes/commit/4441f1d9c3e94d9a3d93b4f184a591cab02a5245
     - web: https://github.com/kubernetes/kubernetes/issues/81114
	id: GO-2021-0065
	modules:
	- module: k8s.io/client-go
	versions:
	- fixed: 0.17.0
	vulnerable_at: 0.16.16-rc.0
	packages:
	- package: k8s.io/client-go/transport
	symbols:
	- debuggingRoundTripper.RoundTrip
	derived_symbols:
	- basicAuthRoundTripper.RoundTrip
	- bearerAuthRoundTripper.RoundTrip
	- impersonatingRoundTripper.RoundTrip
	- userAgentRoundTripper.RoundTrip
	- module: k8s.io/kubernetes
	versions:
	- fixed: 1.16.0-beta.1
	vulnerable_at: 1.16.0-beta.0
	packages:
	- package: k8s.io/kubernetes/staging/src/k8s.io/client-go/transport
	symbols:
	- debuggingRoundTripper.RoundTrip
	skip_fix: 'TODO: revisit this reason (module does not contain package k8s.io/kubernetes/staging/src/k8s.io/client-go/transport)'
	summary: Unauthorized credential disclosure in k8s.io/kubernetes and k8s.io/client-go
	description: \|-
	Authorization tokens may be inappropriately logged if the verbosity level is set
	to a debug level.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2019-11250
	ghsas:
	- GHSA-jmrx-5g74-6v2f
	references:
	- fix: https://github.com/kubernetes/kubernetes/pull/81330
	- fix: https://github.com/kubernetes/kubernetes/commit/4441f1d9c3e94d9a3d93b4f184a591cab02a5245
	- web: https://github.com/kubernetes/kubernetes/issues/81114