A flaw was found in the OpenShift API Server, where it failed to sufficiently protect OAuthTokens by leaking them into the logs when an API Server panic occurred. This flaw allows an attacker with the ability to cause an API Server error to read the logs, and use the leaked OAuthToken to log into the API Server with the leaked token.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
CVE-2020-10752 - High Severity Vulnerability
Vulnerable Libraries - k8s.io/apiserver/pkg/authentication/user-a7c3148ae4227004e0b9f6034c92da166932b655, k8s.io/apiserver/plugin/pkg/authorizer/webhook-a7c3148ae4227004e0b9f6034c92da166932b655, k8s.io/apiserver/pkg/authorization/authorizer-a7c3148ae4227004e0b9f6034c92da166932b655, k8s.io/apiserver/pkg/util/webhook-a7c3148ae4227004e0b9f6034c92da166932b655, k8s.io/apiserver/pkg/features-a7c3148ae4227004e0b9f6034c92da166932b655, github.com/kubernetes/apiserver-kubernetes-1.17.6, k8s.io/apiserver/pkg/authentication/serviceaccount-a7c3148ae4227004e0b9f6034c92da166932b655
k8s.io/apiserver/pkg/authentication/user-a7c3148ae4227004e0b9f6034c92da166932b655
Library for writing a Kubernetes-style API server.
Dependency Hierarchy: - github.com/kubernetes/apiserver/pkg/authentication/authenticator-v0.17.9 (Root Library) - :x: **k8s.io/apiserver/pkg/authentication/user-a7c3148ae4227004e0b9f6034c92da166932b655** (Vulnerable Library)
k8s.io/apiserver/plugin/pkg/authorizer/webhook-a7c3148ae4227004e0b9f6034c92da166932b655
Library for writing a Kubernetes-style API server.
Dependency Hierarchy: - k8s.io/kubernetes/cmd/cloud-controller-manager/app-v1.18.2-k3s.1 (Root Library) - k8s.io/apiserver/pkg/server/options-20f496186c3e8e4d4f12da0794f26cec36df73b2 - k8s.io/apiserver/pkg/authorization/authorizerfactory-v0.17.9 - :x: **k8s.io/apiserver/plugin/pkg/authorizer/webhook-a7c3148ae4227004e0b9f6034c92da166932b655** (Vulnerable Library)
k8s.io/apiserver/pkg/authorization/authorizer-a7c3148ae4227004e0b9f6034c92da166932b655
Library for writing a Kubernetes-style API server.
Dependency Hierarchy: - k8s.io/kubernetes/cmd/cloud-controller-manager/app-v1.18.2-k3s.1 (Root Library) - k8s.io/apiserver/pkg/server/options-20f496186c3e8e4d4f12da0794f26cec36df73b2 - k8s.io/apiserver/pkg/authorization/union-20f496186c3e8e4d4f12da0794f26cec36df73b2 - :x: **k8s.io/apiserver/pkg/authorization/authorizer-a7c3148ae4227004e0b9f6034c92da166932b655** (Vulnerable Library)
k8s.io/apiserver/pkg/util/webhook-a7c3148ae4227004e0b9f6034c92da166932b655
Library for writing a Kubernetes-style API server.
Dependency Hierarchy: - k8s.io/kubernetes/cmd/cloud-controller-manager/app-v1.18.2-k3s.1 (Root Library) - k8s.io/apiserver/pkg/server/options-20f496186c3e8e4d4f12da0794f26cec36df73b2 - :x: **k8s.io/apiserver/pkg/util/webhook-a7c3148ae4227004e0b9f6034c92da166932b655** (Vulnerable Library)
k8s.io/apiserver/pkg/features-a7c3148ae4227004e0b9f6034c92da166932b655
Library for writing a Kubernetes-style API server.
Dependency Hierarchy: - k8s.io/kubernetes/cmd/cloud-controller-manager/app-v1.18.2-k3s.1 (Root Library) - k8s.io/apiserver/pkg/server/options-20f496186c3e8e4d4f12da0794f26cec36df73b2 - :x: **k8s.io/apiserver/pkg/features-a7c3148ae4227004e0b9f6034c92da166932b655** (Vulnerable Library)
github.com/kubernetes/apiserver-kubernetes-1.17.6
Library for writing a Kubernetes-style API server.
Dependency Hierarchy: - k8s.io/kubernetes/cmd/kube-apiserver/app-v1.18.2-k3s.1 (Root Library) - k8s.io/kubernetes/cmd/kube-apiserver/app/options-v1.18.2-k3s.1 - k8s.io/kubernetes/pkg/kubeapiserver/options-v1.18.2-k3s.1 - k8s.io/kubernetes/pkg/kubeapiserver/authenticator-v1.18.2-k3s.1 - :x: **github.com/kubernetes/apiserver-kubernetes-1.17.6** (Vulnerable Library)
k8s.io/apiserver/pkg/authentication/serviceaccount-a7c3148ae4227004e0b9f6034c92da166932b655
Library for writing a Kubernetes-style API server.
Dependency Hierarchy: - k8s.io/kubernetes/cmd/cloud-controller-manager/app-v1.18.2-k3s.1 (Root Library) - k8s.io/apiserver/pkg/server/options-20f496186c3e8e4d4f12da0794f26cec36df73b2 - k8s.io/apiserver/pkg/server-20f496186c3e8e4d4f12da0794f26cec36df73b2 - k8s.io/apiserver/pkg/endpoints/filters-20f496186c3e8e4d4f12da0794f26cec36df73b2 - :x: **k8s.io/apiserver/pkg/authentication/serviceaccount-a7c3148ae4227004e0b9f6034c92da166932b655** (Vulnerable Library)
Found in HEAD commit: d176fc163fbd69f1a628cf9b7ea217423ee02d31
Vulnerability Details
A flaw was found in the OpenShift API Server, where it failed to sufficiently protect OAuthTokens by leaking them into the logs when an API Server panic occurred. This flaw allows an attacker with the ability to cause an API Server error to read the logs, and use the leaked OAuthToken to log into the API Server with the leaked token.
Publish Date: 2020-06-12
URL: CVE-2020-10752
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.