SCA: security update for k8s.io/kube-state-metrics (GHSA-c92w-72c5-9x59)

medium Tenable Self-Hosted Container Security Plugin ID 413787

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A security issue was discovered in the kube-state-metrics versions v1.7.0 and v1.7.1. An experimental
feature was added to the v1.7.0 release that enabled annotations to be exposed as metrics. By default, the
kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default
`kubectl` behavior and this new feature can cause the entire secret content to end up in metric labels
thus inadvertently exposing the secret content in metrics. This feature has been reverted and released as
the v1.7.2 release. If you are running the v1.7.0 or v1.7.1 release, please upgrade to the v1.7.2 release
as soon as possible. (CVE-2019-10223)

See Also

https://github.com/advisories/GHSA-c92w-72c5-9x59

Plugin Details

Severity: Medium

ID: 413787

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2019-10223

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/24/2022

Vulnerability Publication Date: 11/5/2019

Reference Information

CVE: CVE-2019-10223

cwe: CWE-200