{"id":"GO-2022-0621","summary":"Exposure of sensitive information in k8s.io/kube-state-metrics","details":"Exposing annotations as metrics can leak secrets.\n\nAn experimental feature of kube-state-metrics enables annotations to be exposed as metrics. By default, metrics only expose metadata about secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels.","aliases":["CVE-2019-10223","CVE-2019-17110","GHSA-2v6x-frw8-7r7f","GHSA-c92w-72c5-9x59"],"modified":"2024-05-20T16:03:47Z","published":"2021-05-18T15:38:54Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0621","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://github.com/kubernetes/kube-state-metrics/commit/03122fe3e2df49a9a7298b8af921d3c37c430f7f"}],"affected":[{"package":{"name":"k8s.io/kube-state-metrics","ecosystem":"Go","purl":"pkg:golang/k8s.io/kube-state-metrics"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.7.0"},{"fixed":"1.7.2"}]}],"ecosystem_specific":{"imports":[{"symbols":["Builder.Build","kubeAnnotationsToPrometheusLabels"],"path":"k8s.io/kube-state-metrics/internal/store"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0621.json"}}],"schema_version":"1.7.3","credits":[{"name":"Moritz S."}]}