github.com/quay/claircore@v1.5.28/rhel/rhcc/testdata/cve-2020-8565.xml

github.com/quay/claircore@v1.5.28/rhel/rhcc/testdata/cve-2020-8565.xml (about)

     1  <?xml version="1.0" encoding="utf-8"?>
     2  <cvemap updated="2021-11-16T19:11:00" license="CC BY 4.0, https://creativecommons.org/licenses/by/4.0/">
     3  <Vulnerability name="CVE-2020-8565">
     4      <ThreatSeverity>Moderate</ThreatSeverity>
     5      <PublicDate>2020-10-14T00:00:00</PublicDate>
     6      <Bugzilla id="1886638" url="https://bugzilla.redhat.com/show_bug.cgi?id=1886638" xml:lang="en:us">
     7  CVE-2020-8565 kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel &gt;= 9
     8      </Bugzilla>
     9      <CVSS3 status="verified">
    10          <CVSS3BaseScore>5.3</CVSS3BaseScore>
    11          <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N</CVSS3ScoringVector>
    12      </CVSS3>
    13      <CWE>CWE-117</CWE>
    14      <Details source="Mitre" xml:lang="en:us">
    15  In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects &lt;= v1.19.3, &lt;= v1.18.10, &lt;= v1.17.13, &lt; v1.20.0-alpha2.
    16      </Details>
    17      <Details source="Red Hat" xml:lang="en:us">
    18  A flaw was found in kubernetes. In Kubernetes, if the logging level is to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like `kubectl`. Previously, CVE-2019-11250 was assigned for the same issue for logging levels of at least 4.
    19      </Details>
    20      <Statement xml:lang="en:us">
    21  OpenShift Container Platform 4 does not support LogLevels higher than 8 (via 'TraceAll'), and is therefore not affected by this vulnerability.
    22      </Statement>
    23      <Acknowledgement xml:lang="en:us">
    24  Red Hat would like to thank the Kubernetes Product Security Committee for reporting this issue. Upstream acknowledges Patrick Rhomberg (purelyapplied) as the original reporter.
    25      </Acknowledgement>
    26      <AffectedRelease cpe="cpe:/a:redhat:openshift_container_storage:4">
    27          <ProductName>Red Hat OpenShift Container Storage 4.7.0 on RHEL-8</ProductName>
    28          <ReleaseDate>2021-05-19T00:00:00</ReleaseDate>
    29          <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2021:2041">RHSA-2021:2041</Advisory>
    30          <Package name="ocs4/rook-ceph-rhel8-operator">ocs4/rook-ceph-rhel8-operator:4.7-140.49a6fcf.release_4.7</Package>
    31      </AffectedRelease>
    32      <AffectedRelease cpe="cpe:/a:redhat:openshift_container_storage:4">
    33          <ProductName>Red Hat OpenShift Container Storage 4.8.0 on RHEL-8</ProductName>
    34          <ReleaseDate>2021-08-03T00:00:00</ReleaseDate>
    35          <Advisory type="RHBA" url="https://access.redhat.com/errata/RHBA-2021:3003">RHBA-2021:3003</Advisory>
    36          <Package name="ocs4/rook-ceph-rhel8-operator">ocs4/rook-ceph-rhel8-operator:4.8-167.9a9db5f.release_4.8</Package>
    37      </AffectedRelease>
    38      <UpstreamFix>kubernetes 1.20.0, kubernetes 1.19.6, kubernetes 1.18.14, kubernetes 1.17.16</UpstreamFix>
    39      <References xml:lang="en:us">
    40  https://github.com/kubernetes/kubernetes/issues/95623
    41  https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk
    42      </References>
    43  </Vulnerability>
    44  </cvemap>