Описание
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
A flaw was found in go-getter, where the go-getter library can write SSH credentials into its log file. This flaw allows a local user with access to read log files to read sensitive credentials, which may lead to privilege escalation or account takeover.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/agent-service-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/clusterlifecycle-state-metrics-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/managedcluster-import-controller-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/multicloud-manager-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/multiclusterhub-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/multicluster-operators-application-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/search-aggregator-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/subctl-rhel9 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/submariner-rhel8-operator | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-baremetal-installer-rhel8 | Fix deferred |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-532
https://bugzilla.redhat.com/show_bug.cgi?id=2080279go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses
5.1 Medium
CVSS3
Связанные уязвимости
CVSS3: 5.5
nvd
больше 3 лет назад
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
CVSS3: 5.5
debian
больше 3 лет назад
The Hashicorp go-getter library before 1.5.11 does not redact an SSH k ...
CVSS3: 5.5
github
больше 3 лет назад
Insertion of Sensitive Information into Log File in Hashicorp go-getter
5.1 Medium
CVSS3