GHSA-4RGC-5G6R-2RJF
Vulnerability from github – Published: 2023-12-12 00:58 – Updated: 2023-12-12 00:58
VLAI
Summary
lakeFS logs S3 credentials in plain text
Details
Impact
S3 credentials are logged in plain text
S3Creds:{Key:AKIAIOSFODNN7EXAMPLE Secret:wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
appears as part of the log message:
time="2023-05-12T13:51:52Z" level=error msg="failed to perform diff" func="pkg/plugins/diff.(*Service).RunDiff" file="build/pkg/plugins/diff/service.go:124" error="rpc error: code = Canceled desc = stream terminated by RST_STREAM with error code: CANCEL" host="localhost:8000" method=GET operation_id=OtfDiff params="{TablePaths:{Left:{Ref:data_load@ Path:aggs/agg_variety/} Right:{Ref:data_load Path:aggs/agg_variety/} Base:{Ref: Path:}} S3Creds:{Key:AKIAIOSFODNN7EXAMPLE Secret:wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Endpoint:http://0.0.0.0:8000} Repo:example}" path="/api/v1/repositories/example/otf/refs/data_load%40/diff/data_load?table_path=aggs%2Fagg_variety%2F&type=delta" request_id=d3b6fdc7-2544-4c12-8e05-376f16e35a80 service_name=rest_api type=delta user=docker
Discovered when investigating #5862
Patches
Has the problem been patched? What versions should users upgrade to?
No
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
disable all logging?
References
Are there any links users can visit to find out more?
Severity
8.4 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/treeverse/lakefs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.101.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-12T00:58:29Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nS3 credentials are logged in plain text\n\n```\nS3Creds:{Key:AKIAIOSFODNN7EXAMPLE Secret:wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\n```\n\nappears as part of the log message: \n\n```\ntime=\"2023-05-12T13:51:52Z\" level=error msg=\"failed to perform diff\" func=\"pkg/plugins/diff.(*Service).RunDiff\" file=\"build/pkg/plugins/diff/service.go:124\" error=\"rpc error: code = Canceled desc = stream terminated by RST_STREAM with error code: CANCEL\" host=\"localhost:8000\" method=GET operation_id=OtfDiff params=\"{TablePaths:{Left:{Ref:data_load@ Path:aggs/agg_variety/} Right:{Ref:data_load Path:aggs/agg_variety/} Base:{Ref: Path:}} S3Creds:{Key:AKIAIOSFODNN7EXAMPLE Secret:wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Endpoint:http://0.0.0.0:8000} Repo:example}\" path=\"/api/v1/repositories/example/otf/refs/data_load%40/diff/data_load?table_path=aggs%2Fagg_variety%2F\u0026type=delta\" request_id=d3b6fdc7-2544-4c12-8e05-376f16e35a80 service_name=rest_api type=delta user=docker\n```\n\nDiscovered when investigating [#5862](https://github.com/treeverse/lakeFS/issues/5862)\n\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nNo\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\ndisable all logging? \n\n### References\n_Are there any links users can visit to find out more?_\n\n",
"id": "GHSA-4rgc-5g6r-2rjf",
"modified": "2023-12-12T00:58:29Z",
"published": "2023-12-12T00:58:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/treeverse/lakeFS/security/advisories/GHSA-4rgc-5g6r-2rjf"
},
{
"type": "PACKAGE",
"url": "https://github.com/treeverse/lakeFS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "lakeFS logs S3 credentials in plain text"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…