Bug 1133146 (CVE-2019-11243) - VUL-1: CVE-2019-11243: kubernetes: the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/k
Summary: VUL-1: CVE-2019-11243: kubernetes: the rest.AnonymousClientConfig() method re...
Status: RESOLVED FIXED
Alias: CVE-2019-11243
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Containers Team
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/230073/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-23 15:33 UTC by Marcus Meissner
Modified: 2024-07-19 12:39 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-04-23 15:33:19 UTC 
CVE-2019-11243

In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig()
method returns a copy of the provided config, with credentials removed (bearer
token, username/password, and client certificate/key data). In the affected
versions, rest.AnonymousClientConfig() did not effectively clear service account
credentials loaded using rest.InClusterConfig()

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11243
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11243
https://github.com/kubernetes/kubernetes/issues/76797
Comment 1 Marcus Meissner 2019-04-23 15:33:34 UTC 
we dont seem to ship 1.12 yet
Comment 2 Alexandre Vicenzi 2024-07-18 14:11:11 UTC 
This was fixed ages ago, but never mentioned in the changelog. Currently, we have Kubernetes 1.30 and this was fixed in 1.15.

Marcus, can you close this?
Comment 3 Marcus Meissner 2024-07-19 12:39:26 UTC 
done