GHSA-g35x-j6jj-8g7j

Suggest an improvement
Source
https://github.com/advisories/GHSA-g35x-j6jj-8g7j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-g35x-j6jj-8g7j/GHSA-g35x-j6jj-8g7j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g35x-j6jj-8g7j
Published
2023-05-02T16:51:25Z
Modified
2023-05-02T16:51:25Z
Severity
  • 4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
@mittwald/kubernetes's secret contents leaked via debug logging
Details

Impact

When debug logging is enabled (via DEBUG environment variable), the Kubernetes client may log all response bodies into the debug log -- including sensitive data from Secret resources.

When running in a Kubernetes cluster, this might expose sensitive information to users who are not authorised to access secrets, but have access to Pod logs (either directly using kubectl, or by Pod logs being shipped elsewhere).

Patches

Upgrade to 3.5.0 or newer.

Workarounds

Disable debug logging entirely, or exclude the kubernetes:client debug item (for example, using DEBUG=*,-kubernetes:client).

References

  • https://cwe.mitre.org/data/definitions/532.html
Database specific
{
    "nvd_published_at": null,
    "github_reviewed_at": "2023-05-02T16:51:25Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-532"
    ]
}
References

Affected packages

npm / @mittwald/kubernetes

Package

Name
@mittwald/kubernetes
View open source insights on deps.dev
Purl
pkg:npm/%40mittwald/kubernetes

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.5.0