6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10223

GHSA ID

GHSA-c92w-72c5-9x59

EPSS Score

0.77661%

CWE

CWE-200

Published

5/24/2022

Updated

2/17/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10223

CVE-2019-10223: kube-state-metrics may expose secret content in metrics

A security issue was discovered in the kube-state-metrics versions v1.7.0 and v1.7.1. An experimental feature was added to the v1.7.0 release that enabled annotations to be exposed as metrics. By default, the kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels thus inadvertently exposing the secret content in metrics. This feature has been reverted and released as the v1.7.2 release. If you are running the v1.7.0 or v1.7.1 release, please upgrade to the v1.7.2 release as soon as possible.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10223

GHSA ID

GHSA-c92w-72c5-9x59

EPSS Score

0.77661%

CWE

CWE-200

Published

5/24/2022

Updated

2/17/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
k8s.io/kube-state-metrics	go	>= 1.7.0, < 1.7.2	1.7.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from experimental annotation exposure features added in v1.7.0. The commit diff shows removal of '*_annotations' metric generators across all resource handlers. These functions directly converted Kubernetes resource annotations into Prometheus labels without sanitization. For Secrets specifically, the default kubectl behavior of showing decoded secret data in annotations combined with these metric generators led to secret leakage. The kubeAnnotationsToPrometheusLabels function was the common vulnerable component across all resource types.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s**urity issu* w*s *is*ov*r** in t** ku**-st*t*-m*tri*s v*rsions v*.*.* *n* v*.*.*. *n *xp*rim*nt*l ***tur* w*s ***** to t** v*.*.* r*l**s* t**t *n**l** *nnot*tions to ** *xpos** *s m*tri*s. *y ****ult, t** ku**-st*t*-m*tri*s m*tri*s only *xpos* m*

Reasoning

T** vuln*r**ility st*mm** *rom *xp*rim*nt*l *nnot*tion *xposur* ***tur*s ***** in v*.*.*. T** *ommit *i** s*ows r*mov*l o* '*_*nnot*tions' m*tri* **n*r*tors **ross *ll r*sour** **n*l*rs. T**s* *un*tions *ir**tly *onv*rt** Ku**rn*t*s r*sour** *nnot*ti

6.5

Basic Information

Concerned about an active attack path?

CVE-2019-10223: kube-state-metrics may expose secret content in metrics

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI