Kubernetes did not effectively clear service account credentials

GHSA-gc2p-g4fg-29vh · CVE-2019-11243 · GO-2025-3645

Published May 24, 2022 · Modified May 5, 2025

Description

In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-11243
WEB https://github.com/kubernetes/kubernetes/issues/76797
PACKAGE https://github.com/kubernetes/kubernetes
WEB https://security.netapp.com/advisory/ntap-20190509-0002

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes