Kubernetes client-go library logs may disclose credentials to unauthorized users
Moderate severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated May 20, 2024
Description
Published by the National Vulnerability Database
Aug 29, 2019
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Feb 8, 2023
Last updated
May 20, 2024
The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.
References