CVE-2019-11243: v1.12.0-v1.12.4, v1.13.0: rest.AnonymousClientConfig() does not remove the serviceaccount credentials from config created by rest.InClusterConfig() #76797
Labels
area/security
kind/bug
Categorizes issue or PR as related to a bug.
official-cve-feed
Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
sig/api-machinery
Categorizes an issue or PR as relevant to SIG API Machinery.
sig/auth
Categorizes an issue or PR as relevant to SIG Auth.
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
The
rest.AnonymousClientConfig()method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data).In the following versions,
rest.AnonymousClientConfig()did not effectively clear service account credentials loaded usingrest.InClusterConfig():What is the impact?
k8s.io/client-gousers that use therest.AnonymousClientConfig()method directly with client config loaded withrest.InClusterConfig()receive back a client config which can still send the loaded service account token with requests.How was the issue fixed?
rest.InClusterConfig()was modified to return a client config that is safe to use with therest.AnonymousClientConfig()method (Plumb token and token file through rest.Config #71713)rest.AnonymousClientConfig()will also exclude theconfig.Transportandconfig.WrapTransportfields, in addition to the explicit credential-carrying fields. (Exclude custom transports when constructing AnonymousClientConfig() #75771)How do I resolve the issue?
k8s.io/client-gotokubernetes-1.12.5,kubernetes-1.13.1,kubernetes-1.14.0, or higherconfig.WrapTransportandconfig.Transportfields in addition to callingrest.AnonymousClientConfig()Thanks to Oleg Bulatov of Red Hat for reporting this issue.
/area security
/kind bug
/sig auth
/sig api-machinery
/assign
/close
The text was updated successfully, but these errors were encountered: