Bug 1174460 (CVE-2019-11252) - VUL-0: CVE-2019-11252: kubernetes: credential leak in kube-controller-manager via error messages in mount failure logs and events for AzureFile and CephFS volumes
Summary: VUL-0: CVE-2019-11252: kubernetes: credential leak in kube-controller-manager...
Status: RESOLVED FIXED
Alias: CVE-2019-11252
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/264155/
Whiteboard: CVSSv3.1:SUSE:CVE-2019-11252:5.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-24 07:48 UTC by Alexandros Toptsoglou
Modified: 2024-07-26 10:15 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
kkaempf: needinfo? (dko)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-07-24 07:48:47 UTC 
CVE-2019-11252

The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes.

Reference:
https://github.com/kubernetes/kubernetes/pull/88684

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1860158
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11252
https://access.redhat.com/errata/RHSA-2020:2413
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11252
https://github.com/kubernetes/kubernetes/pull/88684l/88684
Comment 2 Klaus Kämpf 2020-07-24 08:10:00 UTC 
Azure and Ceph are owned by APJ squad. David, can your team handle this ?
Comment 3 Alexandre Vicenzi 2024-07-19 08:52:43 UTC 
This was fixed ages ago but never mentioned in the changelog. Currently, we have Kubernetes 1.30 and this was fixed in 1.18.

Security Team, can you close this?
Comment 4 Andrea Mattiazzo 2024-07-26 10:15:14 UTC 
All done, closing.