Laf is a cloud development platform. Prior to version 1.0.0-beta.13, the control of LAF app enV is not strict enough, and in certain scenarios of privatization environment, it may lead to sensitive information leakage in secret and configmap. In ES6 syntax, if an obj directly references another obj, the name of the obj itself will be used as the key, and the entire object structure will be integrated intact. When constructing the deployment instance of the app, env was found from the database and directly inserted into the template, resulting in controllability here. Sensitive information in the secret and configmap can be read through the k8s envFrom field. In a privatization environment, when `namespaceConf. fixed` is marked, it may lead to the leakage of sensitive information in the system. As of time of publication, it is unclear whether any patches or workarounds exist.
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:31
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/labring/laf/blob/main/server/src/application/environment.controller.ts#L50 - Product | |
| References | () https://github.com/labring/laf/blob/main/server/src/instance/instance.service.ts#L306 - Product | |
| References | () https://github.com/labring/laf/security/advisories/GHSA-hv2g-gxx4-fwxp - Exploit, Third Party Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.9 |
19 Dec 2023, 16:30
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Laf
Laf laf |
|
| CPE | cpe:2.3:a:laf:laf:0.8.1:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.4:alpha0:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:beta7:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.7.5:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.0:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.17:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.14:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:alpha0:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.0:alpha3:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:beta6:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.12:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.17:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.18:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.4:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:beta9:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.0:alpha10:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.21:alpha0:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.21:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.12:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.7:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.16:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.0:alpha9:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.19:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.18:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.20:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.7:alpha0:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.11:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.20:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.2:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.5:alpha0:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.0:alpha2:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.11:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.0:alpha4:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.8:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.2:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.19:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:beta0:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.1:alpha0:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:beta11:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:beta3:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.23:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.0:alpha11:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.10:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.7.1:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.7.0:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:beta2:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.7.8:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.0:alpha7:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.7:alpha3:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.0:alpha0:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.0:alpha9:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.13:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.7:alpha1:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.7:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:alpha6:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.0:alpha2:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.4:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.5:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.7:alpha0:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.0:alpha3:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.12:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.14:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.5:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:alpha2:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.7:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.10:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:beta1:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.11:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:beta13:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.3:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.1:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.0:alpha8:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.0:alpha0:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.7.9:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.1.5:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.13:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.5:alpha0:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:beta12:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.10:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.7.4:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.9:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.0:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.7.7:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.2:alpha0:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.8:alpha0:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.15:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.15:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.0:alpha8:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.0:alpha5:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.7.11:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.2:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.7.6:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.8:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.0:alpha0:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:beta4:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.0:alpha7:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.13:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.0:alpha5:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.16:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.0:alpha1:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.5:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.5:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.6:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.8:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.0:alpha6:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.9:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.22:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.7.3:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.1:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.6:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.7.10:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.0:alpha3:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.0:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:beta5:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:alpha1:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.6:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.0:alpha6:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.0:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.4:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.3:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:alpha3:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.0:alpha1:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:beta8:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.4:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:alpha4:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.0:alpha1:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.2:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.3:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.3:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.5.0:alpha2:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.1:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.7:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.0:alpha10:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.6:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:beta10:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.7.2:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.6.0:alpha4:*:*:*:*:*:* cpe:2.3:a:laf:laf:1.0.0:alpha5:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.4.9:*:*:*:*:*:*:* cpe:2.3:a:laf:laf:0.8.7:alpha2:*:*:*:*:*:* |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.1 |
| References | () https://github.com/labring/laf/blob/main/server/src/instance/instance.service.ts#L306 - Product | |
| References | () https://github.com/labring/laf/blob/main/server/src/application/environment.controller.ts#L50 - Product | |
| References | () https://github.com/labring/laf/security/advisories/GHSA-hv2g-gxx4-fwxp - Exploit, Third Party Advisory |
13 Dec 2023, 01:50
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-12-12 21:15
Updated : 2024-11-21 08:31
NVD link : CVE-2023-48225
Mitre link : CVE-2023-48225
CVE.ORG link : CVE-2023-48225
JSON object : View
Products Affected
laf
- laf
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor