Описание
Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log.
A security issue was identified in the Llama Stack server when PGVector is used as a vector store provider. During initialization, the server logs print the PGVector database password in clear text. This occurs due to insufficient redaction of sensitive configuration fields. As a result, anyone with access to the application logs can retrieve database credentials, increasing the risk of unauthorized database access.
Отчет
The vulnerability has a Low impact.The flaw involves information exposure through log files in the Llama Stack server when PGVector is configured, where database passwords are logged in plaintext.
Меры по смягчению последствий
To mitigate this issue, ensure strict access controls are implemented for server and application logs associated with Llama Stack deployments. Restrict log file and directory access to authorized personnel only to prevent unauthorized disclosure of sensitive database credentials. Consider integrating log redaction or encryption solutions if supported by your logging infrastructure for enhanced data protection.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-llama-stack-k8s-operator-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
3.8 Low
CVSS3
Связанные уязвимости
Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log.
Llama Stack exposes secret in initialization log
EPSS
3.8 Low
CVSS3