DescriptionThe debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.
Overall state of this security issue: Pending
This issue is currently rated as having moderate severity.
|National Vulnerability Database|
|National Vulnerability Database||SUSE|
|Access Vector||Network||Adjacent Network|
Status of this issue by product and package
Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification.
|SUSE CaaS Platform 3.0||kubernetes||Affected|
|SUSE CaaS Platform 4.0||kubernetes||Already fixed|
|SUSE Container as a Service Platform 1.0||kubernetes||Affected|
|SUSE Container as a Service Platform 2.0||kubernetes||Unsupported|
|SUSE Linux Enterprise 12 Module for Public Cloud||kubernetes||Affected|
|SUSE Linux Enterprise 15-SP1 Module for Containers||kubernetes||Already fixed|