Impact: Moderate Public Date: 2019-10-07 CWE: CWE-200: Information Exposure Bugzilla: 1759118: CVE-2019-17110 kube-state-metrics: new feature exposing annotations as metrics can lead to information disclosure A security issue exists in kube-state-metrics 1.7.x prior to 1.7.2. An experimental feature was added to v1.7.0 and v1.7.1 that enabled annotations to be exposed as metrics. By default, kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels, thus inadvertently exposing the secret content in metrics.