Headline
GHSA-g35x-j6jj-8g7j: @mittwald/kubernetes's secret contents leaked via debug logging
Impact
When debug logging is enabled (via DEBUG environment variable), the Kubernetes client may log all response bodies into the debug log – including sensitive data from Secret resources.
When running in a Kubernetes cluster, this might expose sensitive information to users who are not authorised to access secrets, but have access to Pod logs (either directly using kubectl, or by Pod logs being shipped elsewhere).
Patches
Upgrade to 3.5.0 or newer.
Workarounds
Disable debug logging entirely, or exclude the kubernetes:client debug item (for example, using DEBUG=*,-kubernetes:client).
References
- https://cwe.mitre.org/data/definitions/532.html
Impact
When debug logging is enabled (via DEBUG environment variable), the Kubernetes client may log all response bodies into the debug log – including sensitive data from Secret resources.
When running in a Kubernetes cluster, this might expose sensitive information to users who are not authorised to access secrets, but have access to Pod logs (either directly using kubectl, or by Pod logs being shipped elsewhere).
Patches
Upgrade to 3.5.0 or newer.
Workarounds
Disable debug logging entirely, or exclude the kubernetes:client debug item (for example, using DEBUG=*,-kubernetes:client).
References
- https://cwe.mitre.org/data/definitions/532.html
References
- GHSA-g35x-j6jj-8g7j
- mittwald/node-kubernetes@04f6809
- https://github.com/mittwald/node-kubernetes/releases/tag/v3.5.0