NVD Vulnerability Detail

CVE-2020-8564

Summary	In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13.
Publication Date	Dec. 8, 2020, 7:15 a.m.
Registration Date	Jan. 26, 2021, 12:02 p.m.
Last Update	Nov. 21, 2024, 2:39 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	https://github.com/kubernetes/kubernetes/issues/95622	Third Party Advisory
2	https://github.com/kubernetes/kubernetes/issues/95622	Third Party Advisory
3	https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ	Mailing List Patch Third Party Advisory
4	https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ	Mailing List Patch Third Party Advisory
5	https://security.netapp.com/advisory/ntap-20210122-0006/	Third Party Advisory
6	https://security.netapp.com/advisory/ntap-20210122-0006/	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-532	ログファイルからの情報漏えい	https://cwe.mitre.org/data/definitions/532.html

JVN Vulnerability Information

Kubernetes におけるログファイルからの情報漏えいに関する脆弱性

Title	Kubernetes におけるログファイルからの情報漏えいに関する脆弱性
Summary	Kubernetes には、ログファイルからの情報漏えいに関する脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 16, 2020, midnight
Registration Date	July 21, 2021, 4:49 p.m.
Last Update	July 21, 2021, 4:49 p.m.

Affected System

Kubernetes

Kubernetes 1.17.13 未満

Kubernetes 1.18.10 未満

Kubernetes 1.19.3 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-8564	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8564
GitHub
2	CVE-2020-8564: Docker config secrets leaked when file is malformed and log level >= 4 #95622	https://github.com/kubernetes/kubernetes/issues/95622
National Vulnerability Database (NVD)
3	CVE-2020-8564	https://nvd.nist.gov/vuln/detail/CVE-2020-8564

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-532	https://cwe.mitre.org/data/definitions/532.html

ベンダー情報

No	Name	URL
Google Groups
1	[Security Advisory] Multiple secret leaks when verbose logging is enabled	https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ

Change Log

No	Changed Details	Date of change
1	[2021年07月21日] 掲載	July 21, 2021, 4:49 p.m.