CVE-2019-10223: Information Exposure

November 5, 2019 (updated November 29, 2019)

A security issue was discovered in the kube-state-metrics versions. By default, the kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels thus inadvertently exposing the secret content in metrics.

References

bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10223
nvd.nist.gov/vuln/detail/CVE-2019-10223

Detect and mitigate CVE-2019-10223 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →