Vulnerability Report: GO-2022-0621

CVE-2019-10223, CVE-2019-17110, and 2 more
Affects: k8s.io/kube-state-metrics
Published: May 18, 2021
Modified: Jun 12, 2023

Exposing annotations as metrics can leak secrets. An experimental feature of kube-state-metrics enables annotations to be exposed as metrics. By default, metrics only expose metadata about secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels.

Affected Packages

Path

Versions

Symbols
k8s.io/kube-state-metrics/internal/store

from v1.7.0 before v1.7.2

all symbols

Aliases

CVE-2019-10223
CVE-2019-17110
GHSA-2v6x-frw8-7r7f
GHSA-c92w-72c5-9x59

References

https://github.com/kubernetes/kube-state-metrics/commit/03122fe3e2df49a9a7298b8af921d3c37c430f7f
https://vuln.go.dev/ID/GO-2022-0621.json

Credits

Moritz S.

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL