x/vulndb: potential Go vuln in github.com/openshift/cluster-kube-apiserver-operator: CVE-2019-10165

[tatianab]

CVE-2019-10165 references github.com/openshift/cluster-kube-apiserver-operator, which may be a Go module.

Description:
OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-10165
• web: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10165
• fix: Bug 1718052: Do not log OAuth tokens in audit logs openshift/cluster-kube-apiserver-operator#499
• fix: Bug 1718052: Do not log OAuth tokens in audit logs openshift/cluster-openshift-apiserver-operator#205
• Imported by: https://pkg.go.dev/github.com/openshift/cluster-kube-apiserver-operator?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/openshift/cluster-kube-apiserver-operator
      vulnerable_at: 4.0.0-alpha.0+incompatible
      packages:
        - package: openshift
cves:
    - CVE-2019-10165
references:
    - web: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10165
    - fix: https://github.com/openshift/cluster-kube-apiserver-operator/pull/499/
    - fix: https://github.com/openshift/cluster-openshift-apiserver-operator/pull/205

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports