Miggo Logo

CVE-2020-8563: Sensitive Information leak via Log File in Kubernetes

6.3

CVSS Score
3.1

Basic Information

EPSS Score
0.24613%
Published
4/24/2024
Updated
4/24/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/kubernetes/kubernetesgo< 1.19.31.19.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two functions in the VSphere cloud provider implementation that logged Secret objects with verbosity level 4. The commit 247f6dd shows these functions originally used '%+v' formatting which exposes secret contents. The CVE description explicitly mentions credential leakage via cloud controller manager logs at log level 4+, and the patch modifies these exact functions to remove sensitive data from logs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Ku**rn*t*s *lust*rs usin* VSp**r* *s * *lou* provi**r, wit* * lo**in* l*v*l s*t to * or **ov*, VSp**r* *lou* *r***nti*ls will ** l**k** in t** *lou* *ontroll*r m*n***r's lo*. T*is *****ts < v*.**.*.

Reasoning

T** vuln*r**ility st*ms *rom two *un*tions in t** VSp**r* *lou* provi**r impl*m*nt*tion t**t lo**** S**r*t o*j**ts wit* v*r*osity l*v*l *. T** *ommit `*******` s*ows t**s* *un*tions ori*in*lly us** '%+v' *orm*ttin* w*i** *xpos*s s**r*t *ont*nts. T**