CVE-2020-8565: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
First published: Fri Oct 09 2020(Updated: )
A flaw was found in kubernetes. In Kubernetes, if the logging level is to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like `kubectl`. Previously, CVE-2019-11250 was assigned for the same issue for logging levels of at least 4.
Credit: jordan@liggitt.net jordan@liggitt.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/k8s.io/client-go | <0.17.16 | 0.17.16 |
| go/k8s.io/client-go | >=0.18.0<0.18.14 | 0.18.14 |
| go/k8s.io/client-go | >=0.20.0-alpha.0<0.20.0-alpha.2 | 0.20.0-alpha.2 |
| go/k8s.io/client-go | >=0.19.0<0.19.6 | 0.19.6 |
| redhat/mcg | <0:5.9.0-28.61dcf87.5.9.el8 | 0:5.9.0-28.61dcf87.5.9.el8 |
| Kubernetes Kubernetes | >=1.17.0<=1.17.13 | |
| Kubernetes Kubernetes | >=1.18.0<=1.18.10 | |
| Kubernetes Kubernetes | >=1.19.0<=1.19.3 | |
| redhat/kubernetes | <1.20.0 | 1.20.0 |
| redhat/kubernetes | <1.19.6 | 1.19.6 |
| redhat/kubernetes | <1.18.14 | 1.18.14 |
| redhat/kubernetes | <1.17.16 | 1.17.16 |
| go/k8s.io/kubernetes | <1.20.0-alpha.2 | 1.20.0-alpha.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-8565
- https://github.com/kubernetes/kubernetes/issues/95623
- https://github.com/kubernetes/kubernetes/pull/95316
- https://github.com/kubernetes/kubernetes/commit/e99df0e5a75eb6e86123b56d53e9b7ca0fd00419
- https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ
- https://pkg.go.dev/vuln/GO-2021-0064
- https://github.com/kubernetes/client-go/commit/19875a3d5a2e0d4f51c976a9e0662de3c2c011e3
- https://github.com/kubernetes/client-go/commit/1b8383fc150c9b816b0072032cca75754c2734d0
- https://github.com/kubernetes/client-go/commit/44e1a07f2d513e375c4b6ee6e890040b47befe86
- https://github.com/kubernetes/client-go/commit/e8f871a2e5fadf90fc114565abc0963967f1a373
- https://github.com/advisories/GHSA-8cfg-vx93-jvxw (Advisory)
- https://access.redhat.com/security/cve/CVE-2019-11250
- https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk
- https://access.redhat.com/errata/RHSA-2021:2041
- https://access.redhat.com/security/cve/cve-2020-8565
- https://access.redhat.com/errata/RHSA-2021:5085
- https://access.redhat.com/errata/RHSA-2021:5086
- https://bugzilla.redhat.com/show_bug.cgi?id=1886638
- https://www.cve.org/CVERecord?id=CVE-2020-8565 https://nvd.nist.gov/vuln/detail/CVE-2020-8565 https://github.com/kubernetes/kubernetes/issues/95623 https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk
- https://access.redhat.com/errata/RHBA-2021:3003
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-8565?
CVE-2020-8565 is a vulnerability in Kubernetes where authorization and bearer tokens are written to log files when the logging level is set to at least 9.
What is the severity of CVE-2020-8565?
CVE-2020-8565 has a severity value of 5.3, which is classified as medium severity.
How can the CVE-2020-8565 vulnerability be fixed?
To fix the CVE-2020-8565 vulnerability, update Kubernetes to version 1.20.0 or above.
Is there a workaround for the CVE-2020-8565 vulnerability?
There is no known workaround for the CVE-2020-8565 vulnerability. Updating Kubernetes to the fixed version is recommended.
Where can I find more information about CVE-2020-8565?
You can find more information about CVE-2020-8565 on the Red Hat Security Advisory page and the GitHub pull request page.
- collector/redhat-cve
- agent/type
- agent/author
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/references
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-8565
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8cfg-vx93-jvxw
- agent/softwarecombine
- agent/description
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/tags
- agent/event
- package-manager/redhat
- vendor/kubernetes
- canonical/kubernetes kubernetes
- version/kubernetes kubernetes/1.17.0
- version/kubernetes kubernetes/1.17.13
- version/kubernetes kubernetes/1.18.0
- version/kubernetes kubernetes/1.18.10
- version/kubernetes kubernetes/1.19.0
- version/kubernetes kubernetes/1.19.3
- package-manager/go