Miggo Logo

CVE-2020-8565: Kubernetes client-go vulnerable to Sensitive Information Leak via Log File

4.7

CVSS Score
3.1

Basic Information

EPSS Score
0.1843%
Published
2/6/2023
Updated
5/20/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
k8s.io/client-gogo>= 0.19.0, < 0.19.60.19.6
k8s.io/client-gogo>= 0.20.0-alpha.0, < 0.20.0-alpha.20.20.0-alpha.2
k8s.io/client-gogo>= 0.18.0, < 0.18.140.18.14
k8s.io/client-gogo< 0.17.160.17.16
k8s.io/kubernetesgo< 1.20.0-alpha.21.20.0-alpha.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the toCurl method in client-go's transport layer, which formats HTTP requests for logging. At logLevel >=9, this method would include raw Authorization headers in curl command output. The fix (visible in client-go commit diffs) adds a maskValue() call to redact sensitive headers. The GO-2021-0064 vulnerability report explicitly lists requestInfo.toCurl as an affected symbol, and the CVE description matches this behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Ku**rn*t*s, i* t** lo**in* l*v*l is s*t to *t l**st *, *ut*oriz*tion *n* ***r*r tok*ns will ** writt*n to lo* *il*s. T*is **n o**ur *ot* in *PI s*rv*r lo*s *n* *li*nt tool output lik* ku***tl. T*is *****ts <= v*.**.*, <= v*.**.**, <= v*.**.**, < v

Reasoning

T** vuln*r**ility st*ms *rom t** `to*url` m*t*o* in `*li*nt-*o`'s tr*nsport l*y*r, w*i** *orm*ts *TTP r*qu*sts *or lo**in*. *t `lo*L*v*l` >=*, t*is m*t*o* woul* in*lu** r*w *ut*oriz*tion *****rs in `*url` *omm*n* output. T** *ix (visi*l* in `*li*nt-*