8.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-4rgc-5g6r-2rjf

GHSA-4rgc-5g6r-2rjf: lakeFS logs S3 credentials in plain text

Impact

S3 credentials are logged in plain text

S3Creds:{Key:AKIAIOSFODNN7EXAMPLE Secret:wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

appears as part of the log message:

time="2023-05-12T13:51:52Z" level=error msg="failed to perform diff" func="pkg/plugins/diff.(*Service).RunDiff" file="build/pkg/plugins/diff/service.go:124" error="rpc error: code = Canceled desc = stream terminated by RST_STREAM with error code: CANCEL" host="localhost:8000" method=GET operation_id=OtfDiff params="{TablePaths:{Left:{Ref:data_load@ Path:aggs/agg_variety/} Right:{Ref:data_load Path:aggs/agg_variety/} Base:{Ref: Path:}} S3Creds:{Key:AKIAIOSFODNN7EXAMPLE Secret:wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Endpoint:http://0.0.0.0:8000} Repo:example}" path="/api/v1/repositories/example/otf/refs/data_load%40/diff/data_load?table_path=aggs%2Fagg_variety%2F&type=delta" request_id=d3b6fdc7-2544-4c12-8e05-376f16e35a80 service_name=rest_api type=delta user=docker

Discovered when investigating #5862

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

disable all logging?

References

Are there any links users can visit to find out more?

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-4rgc-5g6r-2rjf

GHSA-4rgc-5g6r-2rjf:

8.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/treeverse/lakefs	go	< 0.101.0	0.101.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The log message provided in the vulnerability description shows sensitive S3 credentials being logged as part of error handling in the RunDiff function. The log line explicitly references 'func="pkg/plugins/diff.(*Service).RunDiff"' and 'file="build/pkg/plugins/diff/service.go:124"', indicating this function is responsible for constructing the log message that includes unsanitized credentials. The vulnerability stems from directly logging the S3Creds struct without redaction or filtering of sensitive fields.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.4

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-4rgc-5g6r-2rjf: lakeFS logs S3 credentials in plain text

Impact

Patches

Workarounds

References

GHSA-4rgc-5g6r-2rjf:

8.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-4rgc-5g6r-2rjf: lakeFS logs S3 credentials in plain text

Impact

Patches

Workarounds

References

8.4

8.4

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI