Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.
No PoCs from references.
- https://github.com/ARPSyndicate/cvemon
- https://github.com/RClueX/Hackerone-Reports
- https://github.com/hacking-kubernetes/hacking-kubernetes.info
- https://github.com/imhunterand/hackerone-publicy-disclosed
- https://github.com/k1LoW/oshka
- https://github.com/noirfate/k8s_debug