CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8563 – Secret leaks in logs for vSphere Provider kube-controller-manager
https://notcve.org/view.php?id=CVE-2020-8563
In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3. En los clústeres de Kubernetes que utilizan VSphere como proveedor de nube, con un nivel de registro establecido en 4 o superior, las credenciales de la nube de VSphere se filtrarán en el registro del administrador del controlador de nube. Esto afecta a versiones anteriores a v1.19.3 A flaw was found in kubernetes. Clusters running on VSphere, using VSphere as a cloud provider a with logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. • https://github.com/kubernetes/kubernetes/issues/95621 https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ https://security.netapp.com/advisory/ntap-20210122-0006 https://access.redhat.com/security/cve/CVE-2020-8563 https://bugzilla.redhat.com/show_bug.cgi?id=1886635 • CWE-117: Improper Output Neutralization for Logs CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-8565 – Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
https://notcve.org/view.php?id=CVE-2020-8565
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2. En Kubernetes, si el nivel de registro se establece en al menos 9, los tokens de autorización y portador se escribirán en los archivos de registro. Esto puede ocurrir tanto en los registros del servidor API como en la salida de la herramienta cliente como kubectl. • https://github.com/kubernetes/kubernetes/issues/95623 https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ https://access.redhat.com/security/cve/CVE-2020-8565 https://bugzilla.redhat.com/show_bug.cgi?id=1886638 • CWE-117: Improper Output Neutralization for Logs CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-8566 – Ceph RBD adminSecrets exposed in logs when loglevel >= 4
https://notcve.org/view.php?id=CVE-2020-8566
In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, < v1.17.13. En los clústeres de Kubernetes que usan Ceph RBD como aprovisionador de almacenamiento, con un nivel de registro de al menos 4, los secretos de administración de Ceph RBD se pueden escribir en los registros. Esto ocurre en los registros de kube-controller-manager durante el aprovisionamiento de notificaciones persistentes de Ceph RBD. • https://github.com/kubernetes/kubernetes/issues/95624 https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ https://security.netapp.com/advisory/ntap-20210122-0006 https://access.redhat.com/security/cve/CVE-2020-8566 https://bugzilla.redhat.com/show_bug.cgi?id=1886640 • CWE-117: Improper Output Neutralization for Logs CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2307 – jenkins-2-plugins/kubernetes: Jenkins controller environment variables are accessible in Kubernetes Plugin
https://notcve.org/view.php?id=CVE-2020-2307
Jenkins Kubernetes Plugin 1.27.3 and earlier allows low-privilege users to access possibly sensitive Jenkins controller environment variables. Jenkins Kubernetes Plugin versiones 1.27.3 y anteriores, permiten a usuarios con pocos privilegios acceder a variables de entorno del controlador de Jenkins posiblemente confidenciales • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-1646 https://access.redhat.com/security/cve/CVE-2020-2307 https://bugzilla.redhat.com/show_bug.cgi?id=1895945 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2308 – jenkins-2-plugins/kubernetes: Missing permission check in Kubernetes Plugin allows listing pod templates
https://notcve.org/view.php?id=CVE-2020-2308
A missing permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to list global pod template names. Una falta de comprobación de permisos en Jenkins Kubernetes Plugin versiones 1.27.3 y anteriores, permite a atacantes con permiso Overall/Read enumerar los nombres de las plantillas pod global • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2102 https://access.redhat.com/security/cve/CVE-2020-2308 https://bugzilla.redhat.com/show_bug.cgi?id=1895946 • CWE-862: Missing Authorization •