GMS-2023-1356: @mittwald/kubernetes's secret contents leaked via debug logging

May 2, 2023

When debug logging is enabled (via DEBUG environment variable), the Kubernetes client may log all response bodies into the debug log – including sensitive data from Secret resources.

When running in a Kubernetes cluster, this might expose sensitive information to users who are not authorised to access secrets, but have access to Pod logs (either directly using kubectl, or by Pod logs being shipped elsewhere).

Upgrade to 3.5.0 or newer.

Workaround Disable debug logging entirely, or exclude the kubernetes:client debug item (for example, using DEBUG=*,-kubernetes:client).

https://cwe.mitre.org/data/definitions/532.html

References

github.com/advisories/GHSA-g35x-j6jj-8g7j
github.com/mittwald/node-kubernetes/commit/04f6809fd438417c343d541e57f76f0040e069cd
github.com/mittwald/node-kubernetes/releases/tag/v3.5.0
github.com/mittwald/node-kubernetes/security/advisories/GHSA-g35x-j6jj-8g7j

Detect and mitigate GMS-2023-1356 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →