Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-8564: Docker config secrets leaked when file is malformed and log level >= 4 #95622

Closed
sfowl opened this issue Oct 15, 2020 · 3 comments
Closed

CVE-2020-8564: Docker config secrets leaked when file is malformed and log level >= 4 #95622

sfowl opened this issue Oct 15, 2020 · 3 comments
Labels
area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)

Comments

@sfowl
Copy link
Contributor

sfowl commented Oct 15, 2020

CVSS Rating: 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N (Medium)

In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials.

Am I vulnerable?

If kubernetes.io/dockerconfigjson type secrets are used, and a log level of 4 or higher is used. Third party tools using k8s.io/kubernetes/pkg/credentialprovider to read docker config files may also be vulnerable.

Affected Versions

kubernetes v1.19.0 - v1.19.2
kubernetes v1.18.0 - v1.18.9
kubernetes v1.17.0 - v1.17.12

How do I mitigate this vulnerability?

Do not enable verbose logging in production, limit access to logs.

Fixed Versions

v1.19.3
v1.18.10
v1.17.13

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Acknowledgements

This vulnerability was reported by: Nikolaos Moraitis (Red Hat)
/area security
/kind bug
/committee product-security
@sfowl sfowl added the kind/bug Categorizes issue or PR as related to a bug. label Oct 15, 2020
@k8s-ci-robot k8s-ci-robot added area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Oct 15, 2020
@k8s-ci-robot
Copy link
Contributor

@sfowl: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sfowl
Copy link
Contributor Author

sfowl commented Oct 15, 2020

Fixed by #94712

@sfowl sfowl closed this as completed Oct 15, 2020
@adambkaplan adambkaplan mentioned this issue Dec 3, 2020
Merged
@mend-for-github-com mend-for-github-com bot mentioned this issue Sep 16, 2021
Open
1 task
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Oct 31, 2021
Closed
@PushkarJ
Copy link
Member

PushkarJ commented Dec 2, 2021

/label official-cve-feed

(Related to kubernetes/sig-security#1)

@k8s-ci-robot k8s-ci-robot added the official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) label Dec 2, 2021
@mend-for-github-com mend-for-github-com bot mentioned this issue May 9, 2022
Open
@k8s-sec-alert k8s-sec-alert mentioned this issue Sep 18, 2022
Open
This was referenced May 7, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@PushkarJ @sfowl @k8s-ci-robot