CVE-2019-11243

HIGH8.1EPSS 0.23%

Kubernetes did not effectively clear service account credentials

發布日:2022/5/24修改日:2025/5/5

也稱為:GHSA-gc2p-g4fg-29vhGO-2025-3645

描述

In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()

受影響套件(2)

Go/k8s.io/kubernetes>= 1.12.0, < 1.12.5
Go/k8s.io/kubernetes>= 1.12.0, < 1.12.5, >= 1.13.0, < 1.13.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYhttps://github.com/advisories/GHSA-gc2p-g4fg-29vh
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-11243
PATCHhttps://github.com/kubernetes/kubernetes
WEBhttps://github.com/kubernetes/kubernetes/issues/76797
WEBhttps://security.netapp.com/advisory/ntap-20190509-0002