Base Score

MEDIUM6.5

CVE-2019-11250

The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.

VectorNETWORK

Published Byjordan@liggitt.net

Published DateAug 29, 2019, 01:15

Affected Versions(2)

k8s.io/client-go(Go)

Introduced0

Fixed0.17.0

LimitN/A

k8s.io/kubernetes(Go)

Introduced0

Fixed1.16.0-beta.1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
k8s.io/client-go(Go)	0	0.17.0	N/A
k8s.io/kubernetes(Go)	0	1.16.0-beta.1	N/A

Weakness Type (CWE):CWE-532

CVSS Metrics

Base Score

6.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE

References

Base Score

MEDIUM6.5

Weakness Type (CWE):CWE-532

CVSS Metrics

Base Score

6.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE