CVE-2020-8565 — Unauthorized credential disclosure via debug logs in k8s.io/kubernetes and k8s.i

Description

In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.

How to fix CVE-2020-8565

To remediate CVE-2020-8565, upgrade the affected package to a fixed version below.

—upgrade to 1.20.0-1 or later
—upgrade to 0.19.6 or later
—upgrade to 0.20.0-alpha.2 or later
—upgrade to 1.20.0-alpha.2 or later

Is CVE-2020-8565 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 1.20.0-1
>= 0.19.0, < 0.19.6
from 0, < 0.20.0-alpha.2
from 0, < 1.20.0-alpha.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.7	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-8565
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-8565
PATCHgithub.com/kubernetes/client-go
WEBgithub.com/kubernetes/client-go/commit/19875a3d5a2e0d4f51c976a9e0662de3c2c011e3