CVSS Rating: 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N (Medium)

In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials.

Am I vulnerable?

If kubernetes.io/dockerconfigjson type secrets are used, and a log level of 4 or higher is used. Third party tools using k8s.io/kubernetes/pkg/credentialprovider to read docker config files may also be vulnerable.

Affected Versions

kubernetes v1.19.0 - v1.19.2
kubernetes v1.18.0 - v1.18.9
kubernetes v1.17.0 - v1.17.12

How do I mitigate this vulnerability?

Do not enable verbose logging in production, limit access to logs.

Fixed Versions

v1.19.3
v1.18.10
v1.17.13

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Acknowledgements

This vulnerability was reported by: Nikolaos Moraitis (Red Hat)
/area security
/kind bug
/committee product-security