Allele Security Alert
New feature exposing annotations as metrics can lead to information disclosure
Cloud Native Computing Foundation
Kubernetes kube-state-metrics versions before v1.7.2
Kubernetes kube-state-metrics version v1.7.2
Proof of concept
A security issue was discovered in kube-state-metrics 1.7.x before 1.7.2. An experimental feature was added to v1.7.0 and v1.7.1 that enabled annotations to be exposed as metrics. By default, kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels, thus inadvertently exposing the secret content in metrics.
Release v1.7.2 / 2019-08-05 · kubernetes/kube-state-metrics · GitHub
Filter annotation “annotation_kubectl_kubernetes_io_last_applied_configuration” #854
Revert “add kube_*_annotations metrics for all objects” #859
add kube_*_annotations metrics for all objects
CVE-2019-17110 - Red Hat Customer Portal
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 23, 2019