advisory-database/advisories/github-reviewed/2025/01/GHSA-hcr5-wv4p-h2g2/GHSA-hcr5-wv4p-h2g2.json at 1dfc8597f93f3ff7f779901943fcedf9ba86e4e5 · github/advisory-database · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
{
  "schema_version": "1.4.0",
  "id": "GHSA-hcr5-wv4p-h2g2",
  "modified": "2025-02-05T16:28:49Z",
  "published": "2025-01-29T20:47:51Z",
  "aliases": [
    "CVE-2025-24884"
  ],
  "summary": "kube-audit-rest's example logging configuration could disclose secret values in the audit log",
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\nIf the \"full-elastic-stack\" example vector configuration was used for a real cluster, the previous values of kubernetes secrets would have been disclosed in the audit messages.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\nThe example has been updated to fix this in commit 9df8886b4819409f566233adc7c3b7a43a4096ba\n\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\nReplace \n```yaml\n\n          if .request.requestKind.kind == \"Secret\" {\n            del(.request.object.data)\n            .request.object.data.redacted = \"REDACTED\"\n            del(.request.oldObject.data)\n            .request.oldObject.data.redacted = \"REDACTED\"\n          }\n```\nIn the vector \"audit-files-json-parser-and-redaction\" step\nwith\n```yaml\n\n          if .request.requestKind.kind == \"Secret\" {\n            # Redact the secret data\n            del(.request.object.data)\n            .request.object.data.redacted = \"REDACTED\"\n            del(.request.oldObject.data)\n            .request.oldObject.data.redacted = \"REDACTED\"\n            # Remove the previously set secret data - Not bothering to parse it as this annotation shouldn't ever be needed\n            del(.request.object.metadata.annotations.[\"kubectl.kubernetes.io/last-applied-configuration\"])\n            del(.request.oldObject.metadata.annotations.[\"kubectl.kubernetes.io/last-applied-configuration\"])\n          }\n```\n\n\n### References\n_Are there any links users can visit to find out more?_",
  "severity": [
    {
      "type": "CVSS_V4",
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/RichardoC/kube-audit-rest"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20250129191722-db1aa5b86725"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/RichardoC/kube-audit-rest/security/advisories/GHSA-hcr5-wv4p-h2g2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24884"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RichardoC/kube-audit-rest/commit/db1aa5b867256b0a7bf206544c6981ab068b73dc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/RichardoC/kube-audit-rest"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3431"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-532"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-29T20:47:51Z",
    "nvd_published_at": "2025-01-29T21:15:21Z"
  }
}