{ "threat_severity" : "Moderate", "public_date" : "2020-10-14T00:00:00Z", "bugzilla" : { "description" : "kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9", "id" : "1886638", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1886638" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-117", "details" : [ "In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.", "A flaw was found in kubernetes. In Kubernetes, if the logging level is to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like `kubectl`. Previously, CVE-2019-11250 was assigned for the same issue for logging levels of at least 4." ], "statement" : "OpenShift Container Platform 4 does not support LogLevels higher than 8 (via 'TraceAll'), and is therefore not affected by this vulnerability.", "acknowledgement" : "Red Hat would like to thank the Kubernetes Product Security Committee for reporting this issue. Upstream acknowledges Patrick Rhomberg (purelyapplied) as the original reporter.", "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Storage 4.7.0 on RHEL-8", "release_date" : "2021-05-19T00:00:00Z", "advisory" : "RHSA-2021:2041", "cpe" : "cpe:/a:redhat:openshift_container_storage:4.7::el8", "package" : "ocs4/rook-ceph-rhel8-operator:4.7-140.49a6fcf.release_4.7" }, { "product_name" : "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date" : "2021-08-03T00:00:00Z", "advisory" : "RHBA-2021:3003", "cpe" : "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package" : "ocs4/cephcsi-rhel8:4.8-125.01872cc.release_4.8" }, { "product_name" : "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date" : "2021-08-03T00:00:00Z", "advisory" : "RHBA-2021:3003", "cpe" : "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package" : "ocs4/mcg-core-rhel8:5.8.0-38.e060925.5.8" }, { "product_name" : "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date" : "2021-08-03T00:00:00Z", "advisory" : "RHBA-2021:3003", "cpe" : "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package" : "ocs4/mcg-rhel8-operator:5.8.0-27.4a6ca5f.5.8" }, { "product_name" : "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date" : "2021-08-03T00:00:00Z", "advisory" : "RHBA-2021:3003", "cpe" : "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package" : "ocs4/ocs-must-gather-rhel8:4.8-196.a35d7d7.release_4.8" }, { "product_name" : "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date" : "2021-08-03T00:00:00Z", "advisory" : "RHBA-2021:3003", "cpe" : "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package" : "ocs4/ocs-operator-bundle:4.8.0-5" }, { "product_name" : "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date" : "2021-08-03T00:00:00Z", "advisory" : "RHBA-2021:3003", "cpe" : "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package" : "ocs4/ocs-rhel8-operator:4.8-196.a35d7d7.release_4.8" }, { "product_name" : "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date" : "2021-08-03T00:00:00Z", "advisory" : "RHBA-2021:3003", "cpe" : "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package" : "ocs4/rook-ceph-rhel8-operator:4.8-167.9a9db5f.release_4.8" }, { "product_name" : "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date" : "2021-08-03T00:00:00Z", "advisory" : "RHBA-2021:3003", "cpe" : "cpe:/a:redhat:openshift_container_storage:4.8::el8", "package" : "ocs4/volume-replication-rhel8-operator:4.8-20.ab575a2.release_v0.1" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date" : "2021-12-13T00:00:00Z", "advisory" : "RHSA-2021:5085", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package" : "mcg-0:5.9.0-28.61dcf87.5.9.el8" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date" : "2021-12-13T00:00:00Z", "advisory" : "RHSA-2021:5086", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package" : "odf4/cephcsi-rhel8:4.9-164.57484e3.release_4.9" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date" : "2021-12-13T00:00:00Z", "advisory" : "RHSA-2021:5086", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package" : "odf4/ocs-must-gather-rhel8:4.9-257.4181add.release_4.9" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date" : "2021-12-13T00:00:00Z", "advisory" : "RHSA-2021:5086", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package" : "odf4/ocs-operator-bundle:4.9.0-5" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date" : "2021-12-13T00:00:00Z", "advisory" : "RHSA-2021:5086", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package" : "odf4/ocs-rhel8-operator:4.9-257.4181add.release_4.9" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date" : "2021-12-13T00:00:00Z", "advisory" : "RHSA-2021:5086", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package" : "odf4/odf-console-rhel8:4.9-39.0f2fa23.release_4.9" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date" : "2021-12-13T00:00:00Z", "advisory" : "RHSA-2021:5086", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package" : "odf4/odf-multicluster-operator-bundle:4.9.0-5" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date" : "2021-12-13T00:00:00Z", "advisory" : "RHSA-2021:5086", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package" : "odf4/odf-multicluster-rhel8-operator:4.9-30.007b3d8.release_4.9" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date" : "2021-12-13T00:00:00Z", "advisory" : "RHSA-2021:5086", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package" : "odf4/odf-operator-bundle:4.9.0-5" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date" : "2021-12-13T00:00:00Z", "advisory" : "RHSA-2021:5086", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package" : "odf4/odf-rhel8-operator:4.9-59.c8bbc1f.release_4.9" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date" : "2021-12-13T00:00:00Z", "advisory" : "RHSA-2021:5086", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package" : "odf4/odr-cluster-operator-bundle:4.9.0-5" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date" : "2021-12-13T00:00:00Z", "advisory" : "RHSA-2021:5086", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package" : "odf4/odr-hub-operator-bundle:4.9.0-5" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date" : "2021-12-13T00:00:00Z", "advisory" : "RHSA-2021:5086", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package" : "odf4/odr-rhel8-operator:4.9-27.3d037cc.release_4.9" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date" : "2021-12-13T00:00:00Z", "advisory" : "RHSA-2021:5086", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package" : "odf4/rook-ceph-rhel8-operator:4.9-219.c3f67c6.release_4.9" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date" : "2021-12-13T00:00:00Z", "advisory" : "RHSA-2021:5086", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package" : "odf4/volume-replication-rhel8-operator:4.9-28.82f68db.release_4.9" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date" : "2021-12-13T00:00:00Z", "advisory" : "RHSA-2021:5086", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package" : "odf/odf-multicluster-rhel8-operator:4.9-30.007b3d8.release_4.9" } ], "package_state" : [ { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Will not fix", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-hyperkube", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift-clients", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Openshift Container Storage 4", "fix_state" : "Affected", "package_name" : "mcg", "cpe" : "cpe:/a:redhat:openshift_container_storage:4" }, { "product_name" : "Red Hat Openshift Container Storage 4", "fix_state" : "Affected", "package_name" : "odf4/ocs-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_container_storage:4" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Will not fix", "package_name" : "heketi", "cpe" : "cpe:/a:redhat:storage:3" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Will not fix", "package_name" : "rhgs3/rhgs-gluster-block-prov-rhel7", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-8565\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8565\nhttps://github.com/kubernetes/kubernetes/issues/95623\nhttps://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk" ], "name" : "CVE-2020-8565", "csaw" : false }