CVE-2023-24619

Redpanda before 22.3.12 discloses cleartext AWS credentials. The import functionality in the rpk binary logs an AWS Access Key ID and Secret in cleartext to standard output, allowing a local user to view the key in the console, or in Kubernetes logs if stdout output is collected. The fixed versions are 22.3.12, 22.2.10, and 22.1.12.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/redpanda-data/redpanda/pull/8339	Exploit Patch Vendor Advisory
https://github.com/redpanda-data/redpanda/pull/8339	Exploit Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redpanda:redpanda::::::::
	cpe:2.3:a:redpanda:redpanda::::::::
	cpe:2.3:a:redpanda:redpanda::::::::

History

21 Nov 2024, 07:48

Type	Values Removed	Values Added
References	~~() https://github.com/redpanda-data/redpanda/pull/8339 - Exploit, Patch, Vendor Advisory~~	() https://github.com/redpanda-data/redpanda/pull/8339 - Exploit, Patch, Vendor Advisory
Summary		(es) Redpanda antes del 22.3.12 divulga las credenciales de AWS en texto plano. La funcionalidad de importación en el binario rpk registra un ID de clave de acceso de AWS y un secreto en texto plano en la salida estándar, lo que permite a un usuario local ver la clave en la consola o en los registros de Kubernetes si se recopila la salida estándar. Las versiones fijas son 22.3.12, 22.2.10 y 22.1.12.

Information

Published : 2023-02-13 19:15

Updated : 2024-11-21 07:48

NVD link : CVE-2023-24619

Mitre link : CVE-2023-24619

CVE.ORG link : CVE-2023-24619

JSON object : View

Products Affected

redpanda

redpanda

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2023-24619", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2023-02-13T19:15:11.170", "references": [{"url": "https://github.com/redpanda-data/redpanda/pull/8339", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/redpanda-data/redpanda/pull/8339", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "Redpanda before 22.3.12 discloses cleartext AWS credentials. The import functionality in the rpk binary logs an AWS Access Key ID and Secret in cleartext to standard output, allowing a local user to view the key in the console, or in Kubernetes logs if stdout output is collected. The fixed versions are 22.3.12, 22.2.10, and 22.1.12."}, {"lang": "es", "value": "Redpanda antes del 22.3.12 divulga las credenciales de AWS en texto plano. La funcionalidad de importaci\u00f3n en el binario rpk registra un ID de clave de acceso de AWS y un secreto en texto plano en la salida est\u00e1ndar, lo que permite a un usuario local ver la clave en la consola o en los registros de Kubernetes si se recopila la salida est\u00e1ndar. Las versiones fijas son 22.3.12, 22.2.10 y 22.1.12."}], "lastModified": "2024-11-21T07:48:14.613", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redpanda:redpanda:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A490345-C476-45B6-B5F8-9C655D972701", "versionEndExcluding": "22.1.12", "versionStartIncluding": "22.1.0"}, {"criteria": "cpe:2.3:a:redpanda:redpanda:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E28A2FDE-6433-4226-8C51-D691F15B4421", "versionEndExcluding": "22.2.10", "versionStartIncluding": "22.2.0"}, {"criteria": "cpe:2.3:a:redpanda:redpanda:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "590B94B7-4DA5-48BE-A406-77A44C5106DD", "versionEndExcluding": "22.3.12", "versionStartIncluding": "22.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}