{"containers": {"cna": {"affected": [{"product": "Kubernetes", "vendor": "Kubernetes", "versions": [{"status": "affected", "version": "< 1.19.3"}, {"status": "affected", "version": "< 1.18.10"}, {"status": "affected", "version": "< 1.17.13"}]}], "credits": [{"lang": "en", "value": "Kaizhe Huang (derek0405)"}], "datePublic": "2020-10-15T00:00:00", "descriptions": [{"lang": "en", "value": "In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, < v1.17.13."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532 Information Exposure Through Log Files", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-22T12:06:20", "orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes"}, "references": [{"name": "Multiple secret leaks when verbose logging is enabled", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kubernetes/kubernetes/issues/95624"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210122-0006/"}], "source": {"defect": ["https://github.com/kubernetes/kubernetes/issues/95624"], "discovery": "EXTERNAL"}, "title": "Ceph RBD adminSecrets exposed in logs when loglevel >= 4", "workarounds": [{"lang": "en", "value": "Do not enable verbose logging in production (log level >= 4), limit access to logs."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@kubernetes.io", "DATE_PUBLIC": "2020-10-15T04:00:00.000Z", "ID": "CVE-2020-8566", "STATE": "PUBLIC", "TITLE": "Ceph RBD adminSecrets exposed in logs when loglevel >= 4"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kubernetes", "version": {"version_data": [{"version_value": "< 1.19.3"}, {"version_value": "< 1.18.10"}, {"version_value": "< 1.17.13"}]}}]}, "vendor_name": "Kubernetes"}]}}, "credit": [{"lang": "eng", "value": "Kaizhe Huang (derek0405)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, < v1.17.13."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-532 Information Exposure Through Log Files"}]}]}, "references": {"reference_data": [{"name": "Multiple secret leaks when verbose logging is enabled", "refsource": "MLIST", "url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"}, {"name": "https://github.com/kubernetes/kubernetes/issues/95624", "refsource": "CONFIRM", "url": "https://github.com/kubernetes/kubernetes/issues/95624"}, {"name": "https://security.netapp.com/advisory/ntap-20210122-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210122-0006/"}]}, "source": {"defect": ["https://github.com/kubernetes/kubernetes/issues/95624"], "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Do not enable verbose logging in production (log level >= 4), limit access to logs."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:03:46.087Z"}, "title": "CVE Program Container", "references": [{"name": "Multiple secret leaks when verbose logging is enabled", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/kubernetes/kubernetes/issues/95624"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210122-0006/"}]}]}, "cveMetadata": {"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "assignerShortName": "kubernetes", "cveId": "CVE-2020-8566", "datePublished": "2020-12-07T22:00:16.139583Z", "dateReserved": "2020-02-03T00:00:00", "dateUpdated": "2024-09-16T20:17:09.853Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "B765012B-C658-4EB8-956A-62A91142CE05", "versionEndExcluding": "1.17.13", "versionStartIncluding": "1.17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "67F84BBA-5FCA-4A23-BB4E-47BE92E3706A", "versionEndExcluding": "1.18.10", "versionStartIncluding": "1.18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "456BD01B-44E8-4823-B220-5E109D8C377D", "versionEndExcluding": "1.19.3", "versionStartIncluding": "1.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, < v1.17.13."}, {"lang": "es", "value": "En los cl\u00fasteres de Kubernetes que usan Ceph RBD como aprovisionador de almacenamiento, con un nivel de registro de al menos 4, los secretos de administraci\u00f3n de Ceph RBD se pueden escribir en los registros. Esto ocurre en los registros de kube-controller-manager durante el aprovisionamiento de notificaciones persistentes de Ceph RBD. Esto afecta a versiones anteriores a v1.19.3, anteriores a v1.18.10, anteriores a v1.17.13"}], "id": "CVE-2020-8566", "lastModified": "2024-11-21T05:39:02.657", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "jordan@liggitt.net", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-07T22:15:21.480", "references": [{"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/95624"}, {"source": "jordan@liggitt.net", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"}, {"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210122-0006/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/95624"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210122-0006/"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "jordan@liggitt.net", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Kubernetes Product Security Committee for reporting this issue. Upstream acknowledges Kaizhe Huang (derek0405) as the original reporter.", "affected_release": [{"advisory": "RHSA-2021:0037", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "impact": "low", "package": "openshift4/ose-hyperkube:v4.6.0-202101090040.p0", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2021-01-18T00:00:00Z"}, {"advisory": "RHSA-2020:5634", "cpe": "cpe:/a:redhat:openshift:4.7::el7", "impact": "low", "package": "openshift-0:4.7.0-202102060108.p0.git.97095.7271b90.el8", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-02-24T00:00:00Z"}], "bugzilla": {"description": "kubernetes: Ceph RBD adminSecrets exposed in logs when loglevel >= 4", "id": "1886640", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886640"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-117", "details": ["In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, < v1.17.13.", "A flaw was found in kubernetes. If the logging level is to at least 4, and Ceph RBD is configured as a storage provisioner, then Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims."], "mitigation": {"lang": "en:us", "value": "OCP Clusters not using Ceph RBD volumes are not vulnerable to this issue. For clusters using Ceph RBD volumes, this can be mitigated by ensuring the logging level is below 4 and protecting unauthorized access to cluster logs.\nFor OCP, the logging level for core components can be configured using operators, e.g. for kube-controller-manager:\nhttps://docs.openshift.com/container-platform/latest/rest_api/operator_apis/kubecontrollermanager-operator-openshift-io-v1.html#specification\nIn OCP, a logging level of \"Debug\" is equivalent to 4: \nhttps://github.com/openshift/api/blob/master/operator/v1/types.go#L96\nThe default logging level is \"Normal\", which is equivalent to 2. Clusters running with the default level are not vulnerable to this issue."}, "name": "CVE-2020-8566", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "heketi", "product_name": "Red Hat Storage 3"}], "public_date": "2020-10-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8566\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8566\nhttps://github.com/kubernetes/kubernetes/issues/95624\nhttps://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk"], "statement": "OpenShift Container Platform 4 does not support Ceph RBD persistent volumes, however the vulnerable code is included.", "threat_severity": "Moderate", "upstream_fix": "kubernetes 1.19.3, kubernetes 1.18.10, kubernetes 1.17.13"}