// For flags

CVE-2019-10223

 

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A security issue was discovered in the kube-state-metrics versions v1.7.0 and v1.7.1. An experimental feature was added to the v1.7.0 release that enabled annotations to be exposed as metrics. By default, the kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default `kubectl` behavior and this new feature can cause the entire secret content to end up in metric labels thus inadvertently exposing the secret content in metrics. This feature has been reverted and released as the v1.7.2 release. If you are running the v1.7.0 or v1.7.1 release, please upgrade to the v1.7.2 release as soon as possible.

Se descubrió un problema de seguridad en las versiones v1.7.0 y v1.7.1 de kube-state-metrics. Una característica experimental fue agregada a la versión v1.7.0, lo que permitió que las anotaciones sean expuestas como métricas. Por defecto, las métricas de kube-state-metrics solo exponen metadatos sobre Secretos. Sin embargo, una combinación del comportamiento predeterminado de "kubectl" y esta nueva característica puede causar que todo el contenido secreto termine en etiquetas métricas, exponiendo inadvertidamente el contenido de secreto en métricas. Esta característica ha sido revertida y lanzada como la versión v1.7.2. Si está ejecutando la versión v1.7.0 o v1.7.1, actualice a la versión v1.7.2 lo antes posible.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-03-27 CVE Reserved
  • 2019-11-05 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-08-04 First Exploit
  • 2024-10-29 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Kubernetes
Search vendor "Kubernetes"
 Kube-state-metrics
Search vendor "Kubernetes" for product "Kube-state-metrics"
 1.7.0
Search vendor "Kubernetes" for product "Kube-state-metrics" and version "1.7.0"
-
Affected
in Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
--
Safe
Kubernetes
Search vendor "Kubernetes"
 Kube-state-metrics
Search vendor "Kubernetes" for product "Kube-state-metrics"
 1.7.1
Search vendor "Kubernetes" for product "Kube-state-metrics" and version "1.7.1"
-
Affected
in Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
--
Safe
Redhat
Search vendor "Redhat"
 Openshift Container Platform
Search vendor "Redhat" for product "Openshift Container Platform"
 3.11
Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11"
-
Affected
Redhat
Search vendor "Redhat"
 Openshift Container Platform
Search vendor "Redhat" for product "Openshift Container Platform"
 4.1
Search vendor "Redhat" for product "Openshift Container Platform" and version "4.1"
-
Affected
Redhat
Search vendor "Redhat"
 Openshift Container Platform
Search vendor "Redhat" for product "Openshift Container Platform"
 4.2
Search vendor "Redhat" for product "Openshift Container Platform" and version "4.2"
-
Affected