Headline
GHSA-hcr5-wv4p-h2g2: kube-audit-rest's example logging configuration could disclose secret values in the audit log
Impact
If the “full-elastic-stack” example vector configuration was used for a real cluster, the previous values of kubernetes secrets would have been disclosed in the audit messages.
Patches
The example has been updated to fix this in commit db1aa5b867256b0a7bf206544c6981ab068b73dc
Workarounds
Replace
if .request.requestKind.kind == "Secret" {
del(.request.object.data)
.request.object.data.redacted = "REDACTED"
del(.request.oldObject.data)
.request.oldObject.data.redacted = "REDACTED"
}
In the vector “audit-files-json-parser-and-redaction” step with
if .request.requestKind.kind == "Secret" {
# Redact the secret data
del(.request.object.data)
.request.object.data.redacted = "REDACTED"
del(.request.oldObject.data)
.request.oldObject.data.redacted = "REDACTED"
# Remove the previously set secret data - Not bothering to parse it as this annotation shouldn't ever be needed
del(.request.object.metadata.annotations.["kubectl.kubernetes.io/last-applied-configuration"])
del(.request.oldObject.metadata.annotations.["kubectl.kubernetes.io/last-applied-configuration"])
}
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-24884
kube-audit-rest’s example logging configuration could disclose secret values in the audit log
Moderate severity GitHub Reviewed Published Jan 29, 2025 in RichardoC/kube-audit-rest • Updated Jan 29, 2025
Package
gomod github.com/RichardoC/kube-audit-rest (Go)
Affected versions
< 0.0.0-20250129191722-db1aa5b86725
Patched versions
0.0.0-20250129191722-db1aa5b86725
Impact
If the “full-elastic-stack” example vector configuration was used for a real cluster, the previous values of kubernetes secrets would have been disclosed in the audit messages.
Patches
The example has been updated to fix this in commit db1aa5b867256b0a7bf206544c6981ab068b73dc
Workarounds
Replace
if .request.requestKind.kind == "Secret" {
del(.request.object.data)
.request.object.data.redacted = "REDACTED"
del(.request.oldObject.data)
.request.oldObject.data.redacted = "REDACTED"
}
In the vector “audit-files-json-parser-and-redaction” step
with
if .request.requestKind.kind == "Secret" {
# Redact the secret data
del(.request.object.data)
.request.object.data.redacted = "REDACTED"
del(.request.oldObject.data)
.request.oldObject.data.redacted = "REDACTED"
# Remove the previously set secret data - Not bothering to parse it as this annotation shouldn't ever be needed
del(.request.object.metadata.annotations.\["kubectl.kubernetes.io/last-applied-configuration"\])
del(.request.oldObject.metadata.annotations.\["kubectl.kubernetes.io/last-applied-configuration"\])
}
References
- GHSA-hcr5-wv4p-h2g2
- RichardoC/kube-audit-rest@db1aa5b
Published to the GitHub Advisory Database
Jan 29, 2025
Last updated
Jan 29, 2025