CVE-2019-11250

moderate-risk

Published 2019-08-29

The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.

Do I need to act?

0.81% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (10)

Kubernetes

Openshift Container Platform

Affected Vendors

Redhat Kubernetes

References (10)

http://www.openwall.com/lists/oss-security/2020/10/16/2

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:4052

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:4087

Third Party Advisory https://github.com/kubernetes/kubernetes/issues/81114

Third Party Advisory https://security.netapp.com/advisory/ntap-20190919-0003/

http://www.openwall.com/lists/oss-security/2020/10/16/2

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:4052

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:4087

Third Party Advisory https://github.com/kubernetes/kubernetes/issues/81114

Third Party Advisory https://security.netapp.com/advisory/ntap-20190919-0003/

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 3/34 · Minimal

Exposure 16/34 · Moderate