Описание
User with permission to write actions can impersonate another user when auth token is configured in environment variable
Impact
When lakeFS is configured with ALL of the following:
- Configuration option
auth.encrypt.secret_keypassed through environment variable - Actions enabled via configuration option
actions.enabled(default enabled)
then a user who can configure an action can impersonate any other user.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
ANY ONE of these is sufficient to prevent the issue:
-
Do not pass
auth.encrypt.secret_keythrough an environment variable.For instance, Kubernetes users can generate the entire configuration as a secret and mount that. This is described here.
-
Disable actions.
-
Limit users allowed to configure actions.
Пакеты
Наименование
github.com/treeverse/lakefs
go
Затронутые версииВерсия исправления
< 1.3.1
1.3.1
6.2 Medium
CVSS3
6.2 Medium
CVSS3