Miggo Logo
Miggo Vulnerability Database
CVE-2021-3684

CVE-2021-3684:
OpenShift Assisted Installer leaks image pull secrets as plaintext in installation logs

5.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-3684
GHSA ID
GHSA-g8xm-p2h4-v6jp
EPSS Score
0.12749%
CWE
CWE-532
Published
3/24/2023
Updated
4/4/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/openshift/assisted-installergo< 1.0.25.11.0.25.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two primary issues:

  1. The ExecCommandError's Error() and DetailedError() methods in ops.go logged command arguments and environment variables containing the PullSecretToken without sanitization. The patch introduced a 'removePullSecret' function to redact this sensitive data, confirming these functions were leaking secrets.
  2. The ops.ExtractFromIgnition function had a log message explicitly mentioning 'pull secret', which was modified to a generic 'data' reference. While this change reduces information disclosure, the higher-confidence leak occurred in command execution logging. The ControllerConfig struct modification (adding 'secret:"true"') suggests framework-level protections, but the direct logging in command execution paths was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in Op*nS*i*t *ssist** Inst*ll*r. *urin* **n*r*tion o* t** *is*ov*ry ISO, im*** pull s**r*ts w*r* l**k** *s pl*int*xt in t** inst*ll*tion lo*s. *n *ut**nti**t** us*r *oul* *xploit t*is *y r*-usin* t** im*** pull s**r*t to pul

Reasoning

T** vuln*r**ility st*ms *rom two prim*ry issu*s: *. T** *x***omm*n**rror's *rror() *n* **t*il***rror() m*t*o*s in ops.*o lo**** *omm*n* *r*um*nts *n* *nvironm*nt v*ri**l*s *ont*inin* t** PullS**r*tTok*n wit*out s*nitiz*tion. T** p*t** intro*u*** * 'r