CVE-2025-24884 MEDIUM

CVE-2025-24884: kube-audit-rest's example logging configuration could disclose secret values in the audit log

Vendor Richardoc
Product kube-audit-rest
Weakness CWE-200 · Info exposure
Published January 29, 2025
Last update January 31, 2025

CVSS base score

5.1/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

kube-audit-rest is a simple logger of mutation/creation requests to the k8s api. If the "full-elastic-stack" example vector configuration was used for a real cluster, the previous values of kubernetes secrets would have been disclosed in the audit messages. This vulnerability is fixed in 1.0.16.

Key dates

02Disclosure timeline

January 29, 2025 CVE published
January 31, 2025 Record updated