Vulnerability Description
The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kubernetes | Kubernetes | < 1.15.3 |
| Redhat | Openshift Container Platform | 3.11 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2020/10/16/2
- https://access.redhat.com/errata/RHSA-2019:4052Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:4087Third Party Advisory
- https://github.com/kubernetes/kubernetes/issues/81114Third Party Advisory
- https://security.netapp.com/advisory/ntap-20190919-0003/Third Party Advisory
- http://www.openwall.com/lists/oss-security/2020/10/16/2
- https://access.redhat.com/errata/RHSA-2019:4052Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:4087Third Party Advisory
- https://github.com/kubernetes/kubernetes/issues/81114Third Party Advisory
- https://security.netapp.com/advisory/ntap-20190919-0003/Third Party Advisory
FAQ
What is CVE-2019-11250?
CVE-2019-11250 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as...
How severe is CVE-2019-11250?
CVE-2019-11250 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-11250?
Check the references section above for vendor advisories and patch information. Affected products include: Kubernetes Kubernetes, Redhat Openshift Container Platform.