#VU64817 Information Exposure Through an Error Message in Kubernetes - CVE-2019-11252

Cybersecurity Help s.r.o.

Published: 2022-06-30

Vulnerability identifier: #VU64817

Vulnerability risk: Low

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-11252

CWE-ID: CWE-209

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Kubernetes
Server applications / Frameworks for developing and running applications

Vendor: Kubernetes

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists in kube-controller-manager due to credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes. A remote user can gain access to kubelet logs, read the credentials, and use them to access other services.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Kubernetes: 1.0.0 - 1.0.7, 1.1.0 - 1.17.17

External links
https://github.com/kubernetes/kubernetes/pull/88684
https://bugzilla.redhat.com/show_bug.cgi?id=1860158

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information Exposure Through an Error Message in Kubernetes Kubernetes