Vulnerability Name:

CVE-2019-11250 (CCN-166710)

Assigned:2019-08-07
Published:2019-08-07
Updated:2020-10-16
Summary:The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-532
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2019-11250

Source: MLIST
Type: UNKNOWN
[oss-security] 20201016 Kubernetes: Multiple secret leaks when verbose logging is enabled

Source: REDHAT
Type: Third Party Advisory
RHSA-2019:4052

Source: REDHAT
Type: Third Party Advisory
RHSA-2019:4087

Source: XF
Type: UNKNOWN
kubernetes-cve201911250-info-disc(166710)

Source: CCN
Type: Kubernetes GIT Repository
CVE-2019-11250: TOB-K8S-001: Bearer tokens are revealed in logs #81114

Source: CONFIRM
Type: Third Party Advisory
https://github.com/kubernetes/kubernetes/issues/81114

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20190919-0003/

Source: CCN
Type: IBM Security Bulletin 1143454 (Watson Studio Local)
Multiple Vulnerabilities in Kubernetes affects IBM Watson Studio Local

Source: CCN
Type: IBM Security Bulletin 6436613 (InfoSphere Information Server)
Multiple vulnerabilities in Kubernetes affect IBM InfoSphere Information Server

Source: CCN
Type: IBM Security Bulletin 6599703 (Db2 On Openshift)
Multiple vulnerabilities affect IBM Db2 On Openshift and IBM Db2 and Db2 Warehouse on Cloud Pak for Data

Source: CCN
Type: IBM Security Bulletin 6614451 (Robotic Process Automation for Cloud Pak)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak

Source: CCN
Type: IBM Security Bulletin 6833272 (CICS TX Standard)
IBM CICS TX Standard is vulnerable to multiple vulnerabilities in Kubernetes.

Source: CCN
Type: IBM Security Bulletin 6833274 (CICS TX Advanced)
IBM CICS TX Advanced is vulnerable to multiple vulnerabilities in Kubernetes.

Source: CCN
Type: IBM Security Bulletin 7002503 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Vulnerable Configuration:Configuration 1:
  • cpe:/a:kubernetes:kubernetes:*:*:*:*:*:*:*:* (Version < 1.15.3)
  • OR cpe:/a:kubernetes:kubernetes:1.15.3:-:*:*:*:*:*:*
  • OR cpe:/a:kubernetes:kubernetes:1.15.4:beta0:*:*:*:*:*:*
  • OR cpe:/a:kubernetes:kubernetes:1.16.0:alpha1:*:*:*:*:*:*
  • OR cpe:/a:kubernetes:kubernetes:1.16.0:alpha2:*:*:*:*:*:*
  • OR cpe:/a:kubernetes:kubernetes:1.16.0:alpha3:*:*:*:*:*:*
  • OR cpe:/a:kubernetes:kubernetes:1.16.0:beta1:*:*:*:*:*:*
  • OR cpe:/a:kubernetes:kubernetes:1.16.0:beta2:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:kubernetes:kubernetes:1.15.0:-:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_studio_local:1.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_warehouse:3.5:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_warehouse:4.0:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:3.5:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:4.0:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    kubernetes kubernetes *
    kubernetes kubernetes 1.15.3 -
    kubernetes kubernetes 1.15.4 beta0
    kubernetes kubernetes 1.16.0 alpha1
    kubernetes kubernetes 1.16.0 alpha2
    kubernetes kubernetes 1.16.0 alpha3
    kubernetes kubernetes 1.16.0 beta1
    kubernetes kubernetes 1.16.0 beta2
    redhat openshift container platform 3.11
    redhat openshift container platform 4.1
    kubernetes kubernetes 1.15.0 -
    ibm infosphere information server 11.7
    ibm watson studio local 1.2.3
    ibm db2 warehouse 3.5 -
    ibm db2 warehouse 4.0 -
    ibm db2 3.5 -
    ibm db2 4.0 -
    ibm cics tx 11.1
    ibm cics tx 11.1
    ibm robotic process automation for cloud pak 21.0.1
    ibm robotic process automation for cloud pak 21.0.2
    ibm cloud pak for security 1.10.0.0