CVE-2019-17110 in kube-state-metrics
Summary
by MITRE
A security issue was discovered in kube-state-metrics 1.7.x before 1.7.2. An experimental feature was added to v1.7.0 and v1.7.1 that enabled annotations to be exposed as metrics. By default, kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels, thus inadvertently exposing the secret content in metrics.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/03/2024
The vulnerability CVE-2019-17110 represents a critical information disclosure flaw in kube-state-metrics versions 1.7.0 through 1.7.1, where an experimental feature was introduced that inadvertently exposed sensitive secret data through metric labels. This issue stems from the default behavior of kubectl commands combined with the new annotation exposure functionality, creating a scenario where secret content becomes accessible through the metrics endpoint. The vulnerability specifically affects Kubernetes environments where kube-state-metrics is deployed to monitor cluster resources and expose their state as metrics for monitoring systems.
The technical flaw manifests through the improper handling of annotations in the kube-state-metrics component, which was designed to expose metadata about Kubernetes resources including Secrets. When the experimental feature was enabled, it allowed annotations to be converted into metric labels, but the implementation did not properly sanitize or restrict the content being exposed. This creates a situation where when kubectl commands are executed with default configurations, they may inadvertently include secret values within annotation fields that are then processed and exposed as part of the metric labels. The vulnerability is classified under CWE-200 as an exposure of sensitive information and aligns with ATT&CK technique T1552.2 for unsecured credentials, as it exposes secret content through an unintended access vector.
The operational impact of this vulnerability is significant for Kubernetes environments that rely on kube-state-metrics for monitoring and observability. Attackers who can access the metrics endpoint can extract complete secret contents from metric labels, potentially gaining access to sensitive information such as API keys, passwords, certificates, and other confidential data. This exposure occurs without explicit user action or privilege escalation, making it particularly dangerous as it can be exploited by any entity with access to the metrics endpoint. The vulnerability affects the confidentiality aspect of the CIA triad, as it violates the principle that sensitive information should not be exposed through legitimate monitoring interfaces. Organizations using kube-state-metrics in production environments face potential data breaches and compliance violations when this vulnerability is present.
The recommended mitigation strategy involves upgrading to kube-state-metrics version 1.7.2 or later, where the vulnerability has been addressed through proper input sanitization and access controls. Administrators should also implement network segmentation to restrict access to the metrics endpoint, ensuring that only authorized monitoring systems can query the metrics. Additional controls include implementing proper RBAC policies to limit who can access the metrics endpoint and configuring the kube-state-metrics deployment to disable the experimental annotation feature if it is not required. Organizations should also perform regular security assessments of their monitoring infrastructure and implement monitoring for unusual access patterns to metrics endpoints. The fix addresses the root cause by ensuring that annotation content is properly validated and sanitized before being included in metric labels, preventing the inadvertent exposure of secret data through the monitoring interface.