This issue was reported in the Kubernetes Security Audit Report

Description
Kubernetes uses JavaScript Object Notation (JSON) and similarly structured data sources throughout the codebase. This supports inter-component communications, both internally and externally to the cluster. However, a number of locations within the codebase use unsafe methods of constructing JSON:

pkg/kubectl/cmd/taint/taint.go:218:				conflictTaint := fmt.Sprintf("{\"%s\":\"%s\"}", taintRemove.Key, taintRemove.Effect)

pkg/apis/rbac/helpers.go:109:	formatString := "{" + strings.Join(formatStringParts, ", ") + "}"

Figure 24.1: Examples of incorrect JSON and JSON-like construction

Exploit Scenario
Alice runs a Kubernetes cluster in her organization. Bob, a user in Alice’s organization, attempts to add an RBAC permission that he is not entitled to, which causes his entire RBAC construction to be written to logs, and potentially improperly consumed elsewhere.

Recommendation
Short term, use proper format-specific encoders for all areas of the application, regardless of where the information is used.

Long term, unify the encoding method to ensure encoded values are validated before use, and that no portion of the application produces values with different validations.

Anything else we need to know?:

See #81146 for current status of all issues created from these findings.

The vendor gave this issue an ID of TOB-K8S-016 and it was finding 26 of the report.

The vendor considers this issue Low Severity.

To view the original finding, begin on page 69 of the Kubernetes Security Review Report

Environment:

• Kubernetes version: 1.13.4