Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-hcr5-wv4p-h2g2: kube-audit-rest's example logging configuration could disclose secret values in the audit log

Impact

If the “full-elastic-stack” example vector configuration was used for a real cluster, the previous values of kubernetes secrets would have been disclosed in the audit messages.

Patches

The example has been updated to fix this in commit db1aa5b867256b0a7bf206544c6981ab068b73dc

Workarounds

Replace


          if .request.requestKind.kind == "Secret" {
            del(.request.object.data)
            .request.object.data.redacted = "REDACTED"
            del(.request.oldObject.data)
            .request.oldObject.data.redacted = "REDACTED"
          }

In the vector “audit-files-json-parser-and-redaction” step with


          if .request.requestKind.kind == "Secret" {
            # Redact the secret data
            del(.request.object.data)
            .request.object.data.redacted = "REDACTED"
            del(.request.oldObject.data)
            .request.oldObject.data.redacted = "REDACTED"
            # Remove the previously set secret data - Not bothering to parse it as this annotation shouldn't ever be needed
            del(.request.object.metadata.annotations.["kubectl.kubernetes.io/last-applied-configuration"])
            del(.request.oldObject.metadata.annotations.["kubectl.kubernetes.io/last-applied-configuration"])
          }
ghsa
#js#git#kubernetes
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-24884

kube-audit-rest’s example logging configuration could disclose secret values in the audit log

Moderate severity GitHub Reviewed Published Jan 29, 2025 in RichardoC/kube-audit-rest • Updated Jan 29, 2025

Package

gomod github.com/RichardoC/kube-audit-rest (Go)

Affected versions

< 0.0.0-20250129191722-db1aa5b86725

Patched versions

0.0.0-20250129191722-db1aa5b86725

Impact

If the “full-elastic-stack” example vector configuration was used for a real cluster, the previous values of kubernetes secrets would have been disclosed in the audit messages.

Patches

The example has been updated to fix this in commit db1aa5b867256b0a7bf206544c6981ab068b73dc

Workarounds

Replace

      if .request.requestKind.kind == "Secret" {
        del(.request.object.data)
        .request.object.data.redacted = "REDACTED"
        del(.request.oldObject.data)
        .request.oldObject.data.redacted = "REDACTED"
      }

In the vector “audit-files-json-parser-and-redaction” step
with

      if .request.requestKind.kind == "Secret" {
        # Redact the secret data
        del(.request.object.data)
        .request.object.data.redacted = "REDACTED"
        del(.request.oldObject.data)
        .request.oldObject.data.redacted = "REDACTED"
        # Remove the previously set secret data - Not bothering to parse it as this annotation shouldn't ever be needed
        del(.request.object.metadata.annotations.\["kubectl.kubernetes.io/last-applied-configuration"\])
        del(.request.oldObject.metadata.annotations.\["kubectl.kubernetes.io/last-applied-configuration"\])
      }

References

  • GHSA-hcr5-wv4p-h2g2
  • RichardoC/kube-audit-rest@db1aa5b

Published to the GitHub Advisory Database

Jan 29, 2025

Last updated

Jan 29, 2025

ghsa: Latest News

GHSA-wc9m-r3v6-9p5h: Sparkle Signing Checks Bypass