CVE-2020-8564

In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13.

Published: Dec 7, 2020
Updated: May 9, 2024
CVE: CVE-2020-8564
GHSA: GHSA-8mjg-8c8g-6h85
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.5
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 2.1
AV:L/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-532

Affected Software
References

Software	From	Fixed in
kubernetes / kubernetes	1.19.0	1.19.3
kubernetes / kubernetes	1.18.0	1.18.10
kubernetes / kubernetes	1.17.0	1.17.13
github.com/kubernetes/kubernetes	1.19.0	1.19.3
github.com/kubernetes/kubernetes	1.18.0	1.18.10
github.com/kubernetes/kubernetes	-	1.17.13
k8s.io/kubernetes	-	1.20.0-alpha.1

https://github.com/kubernetes/kubernetes/commit/11793434dac97a49bfed0150b56ac63e5dc34634
https://github.com/kubernetes/kubernetes/issues/95622
https://github.com/kubernetes/kubernetes/pull/94712
https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ
https://pkg.go.dev/vuln/GO-2021-0066
https://security.netapp.com/advisory/ntap-20210122-0006
https://security.netapp.com/advisory/ntap-20210122-0006/

Vulnerability Database

CVE-2020-8564

Deep Security Visibility Without the Complexity