Description
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://github.com/kubernetes/kubernetes/issues/76797
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/108053
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190509-0002/
Scores
CVSS v3
8.1
EPSS
0.0149
EPSS Percentile
70.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-212
CWE-271
Status
published
Products (4)
k8s.io/kubernetes
1.12.0 - 1.12.5Go
kubernetes/kubernetes
1.13.0
kubernetes/kubernetes
1.12.0 - 1.12.4
netapp/trident
Published
Apr 22, 2019
Tracked Since
Feb 18, 2026