CVSS Rating: 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N (Medium)

In Kubernetes, if the logging level is to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl.

Am I vulnerable?

If kube-apiserver is using a log level of at least 9.

Affected Versions

kubernetes v1.19.0 - v1.19.5
kubernetes v1.18.0 - v1.18.13
kubernetes v1.17.0 - v1.17.15

How do I mitigate this vulnerability?

Do not enable verbose logging in production, limit access to logs.

Fixed Versions

kubernetes v1.20.0
kubernetes v1.19.6
kubernetes v1.18.14
kubernetes v1.17.16

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Acknowledgements

This vulnerability was reported by: Patrick Rhomberg (purelyapplied)

/area security
/kind bug
/committee product-security