{"containers": {"cna": {"affected": [{"product": "Kubernetes", "vendor": "Kubernetes", "versions": [{"status": "affected", "version": "1.16"}, {"status": "affected", "version": "1.17"}, {"status": "affected", "version": "1.6"}, {"status": "affected", "version": "1.7"}, {"status": "affected", "version": "1.8"}, {"status": "affected", "version": "1.9"}, {"status": "affected", "version": "1.10"}, {"status": "affected", "version": "1.11"}, {"status": "affected", "version": "1.12"}, {"status": "affected", "version": "1.13"}, {"status": "affected", "version": "1.14"}, {"status": "affected", "version": "1.15"}]}], "credits": [{"lang": "en", "value": "Christopher J. Ruwe"}], "datePublic": "2020-03-04T00:00:00", "descriptions": [{"lang": "en", "value": "The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209 Information Exposure Through an Error Message", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-23T14:47:38", "orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/kubernetes/kubernetes/pull/88684"}], "source": {"defect": ["https://github.com/kubernetes/kubernetes/pull/88684"], "discovery": "EXTERNAL"}, "title": "Credential leakage when failing to mount", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@kubernetes.io", "DATE_PUBLIC": "2020-03-04T05:00:00.000Z", "ID": "CVE-2019-11252", "STATE": "PUBLIC", "TITLE": "Credential leakage when failing to mount"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kubernetes", "version": {"version_data": [{"version_name": "1.16", "version_value": "1.16"}, {"version_name": "1.17", "version_value": "1.17"}, {"version_name": "1.6", "version_value": "1.6"}, {"version_name": "1.7", "version_value": "1.7"}, {"version_name": "1.8", "version_value": "1.8"}, {"version_name": "1.9", "version_value": "1.9"}, {"version_name": "1.10", "version_value": "1.10"}, {"version_name": "1.11", "version_value": "1.11"}, {"version_name": "1.12", "version_value": "1.12"}, {"version_name": "1.13", "version_value": "1.13"}, {"version_name": "1.14", "version_value": "1.14"}, {"version_name": "1.15", "version_value": "1.15"}]}}]}, "vendor_name": "Kubernetes"}]}}, "credit": [{"lang": "eng", "value": "Christopher J. Ruwe"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-209 Information Exposure Through an Error Message"}]}]}, "references": {"reference_data": [{"name": "https://github.com/kubernetes/kubernetes/pull/88684", "refsource": "MISC", "url": "https://github.com/kubernetes/kubernetes/pull/88684"}]}, "source": {"defect": ["https://github.com/kubernetes/kubernetes/pull/88684"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:48:09.032Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/kubernetes/kubernetes/pull/88684"}]}]}, "cveMetadata": {"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "assignerShortName": "kubernetes", "cveId": "CVE-2019-11252", "datePublished": "2020-07-23T14:47:38.187100Z", "dateReserved": "2019-04-17T00:00:00", "dateUpdated": "2024-09-17T04:24:20.027Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "878A4225-E52D-4F15-B997-2663E870FB92", "versionEndIncluding": "1.17.0", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes."}, {"lang": "es", "value": "El Kubernetes kube-controller-manager en versiones v1.0-v1.17, es vulnerable a una filtraci\u00f3n de credenciales por medio de mensajes de error en registros de fallo de montaje y eventos para vol\u00famenes de AzureFile y CephFS"}], "id": "CVE-2019-11252", "lastModified": "2024-11-21T04:20:48.583", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "jordan@liggitt.net", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-07-23T15:15:11.930", "references": [{"source": "jordan@liggitt.net", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/pull/88684"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/pull/88684"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "jordan@liggitt.net", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-209"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:2412", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "openshift4/ose-hyperkube:v4.5.0-202007100518.p0", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2020-07-13T00:00:00Z"}, {"advisory": "RHSA-2020:2413", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el7", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2020-07-13T00:00:00Z"}], "bugzilla": {"description": "kubernetes: credential leak in kube-controller-manager via error messages in mount failure logs and events for AzureFile and CephFS volumes", "id": "1860158", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860158"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N", "status": "verified"}, "cwe": "CWE-209", "details": ["The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes.", "A flaw was found in Kubernetes that allows the logging of credentials when mounting AzureFile and CephFS volumes. This flaw allows an attacker to access kubelet logs, read the credentials, and use them to access other services. The highest threat from this vulnerability is to confidentiality."], "name": "CVE-2019-11252", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/cephcsi-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/ocs-must-gather-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/ocs-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "heketi", "product_name": "Red Hat Storage 3"}], "public_date": "2020-03-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-11252\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-11252"], "statement": "OpenShift Container Platform (OCP) included the upstream patch for this flaw in the release of version 4.5. Prior versions are affected as OCP 4 supports AzureFile volumes and OCP 3 supports both AzureFile and CephFS volumes. OCP clusters not using these volume types are not vulnerable.", "threat_severity": "Moderate"}