vulndb/data/osv/GO-2022-0621.json

{
  "schema_version": "1.3.1",
  "id": "GO-2022-0621",
  "modified": "0001-01-01T00:00:00Z",
  "published": "2021-05-18T15:38:54Z",
  "aliases": [
    "CVE-2019-10223",
    "CVE-2019-17110",
    "GHSA-2v6x-frw8-7r7f",
    "GHSA-c92w-72c5-9x59"
  ],
  "details": "Exposing annotations as metrics can leak secrets.\n\nAn experimental feature of kube-state-metrics enables annotations to be exposed as metrics. By default, metrics only expose metadata about secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels.",
  "affected": [
    {
      "package": {
        "name": "k8s.io/kube-state-metrics",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "1.7.0"
            },
            {
              "fixed": "1.7.2"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "imports": [
          {
            "path": "k8s.io/kube-state-metrics/internal/store",
            "symbols": [
              "kubeAnnotationsToPrometheusLabels"
            ]
          }
        ]
      }
    }
  ],
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/kubernetes/kube-state-metrics/commit/03122fe3e2df49a9a7298b8af921d3c37c430f7f"
    }
  ],
  "credits": [
    {
      "name": "Moritz S."
    }
  ],
  "database_specific": {
    "url": "https://pkg.go.dev/vuln/GO-2022-0621"
  }
}