First published: Tue Nov 07 2023(Updated: )
The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0. Please note that this is reported on an EOL version of the product, and users are advised to upgrade to the latest supported version. Required Configuration: DEBUG logging is not enabled by default, and must be configured by the end-user. To check the log-level of the Operator, review the flags passed in your deployment configuration (eg. https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 )
Credit: cna@mongodb.com
Affected Software | Affected Version | How to fix |
---|---|---|
MongoDB Atlas Kubernetes Operator | >=1.6.0<1.7.1 | |
MongoDB Atlas Kubernetes Operator | =1.5.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-0436 is a vulnerability in MongoDB Atlas Kubernetes Operator that may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled.
CVE-2023-0436 affects MongoDB Atlas Kubernetes Operator versions 1.5.0 to 1.7.0.
CVE-2023-0436 has a severity of 7.5 (high).
To fix CVE-2023-0436, update MongoDB Atlas Kubernetes Operator to version 1.7.1 or newer.
More information about CVE-2023-0436 can be found at the following link: [https://github.com/mongodb/mongodb-atlas-kubernetes/releases/tag/v1.7.1](https://github.com/mongodb/mongodb-atlas-kubernetes/releases/tag/v1.7.1).