Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
ATR-K8S-002: Non-constant time password comparison #81126
This issue was reported in the Kubernetes Security Audit Report
Figure 9.1: Username and password authentication handling in passwordfile.go
Long term, deprecate Basic Authentication in favor of more robust and secure options. Add documentation noting that any Basic Authentication is for use only in development scenarios, and not appropriate for production deployments. This will help users create a robust and secure default stance for all deployments.
Anything else we need to know?:
See #81146 for current status of all issues created from these findings.
The vendor gave this issue an ID of ATR-K8S-002 and it was finding 18 of the report.
The vendor considers this issue Medium Severity.
To view the original finding, begin on page 55 of the Kubernetes Security Review Report
Fixed in v1.16.0 by #81152