GO-2022-0621

See a problem?
Source
https://pkg.go.dev/vuln/GO-2022-0621
Import Source
https://vuln.go.dev/ID/GO-2022-0621.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-0621
Aliases
Published
2021-05-18T15:38:54Z
Modified
2024-05-20T16:03:47Z
Summary
Exposure of sensitive information in k8s.io/kube-state-metrics
Details

Exposing annotations as metrics can leak secrets.

An experimental feature of kube-state-metrics enables annotations to be exposed as metrics. By default, metrics only expose metadata about secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels.

References
Credits
    • Moritz S.

Affected packages

Go / k8s.io/kube-state-metrics

Package

Name
k8s.io/kube-state-metrics
View open source insights on deps.dev
Purl
pkg:golang/k8s.io/kube-state-metrics

Affected ranges

Type
SEMVER
Events
Introduced
1.7.0
Fixed
1.7.2

Ecosystem specific

{
    "imports": [
        {
            "path": "k8s.io/kube-state-metrics/internal/store",
            "symbols": [
                "Builder.Build",
                "kubeAnnotationsToPrometheusLabels"
            ]
        }
    ]
}