4.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-rjc6-vm4h-85cg

GHSA-rjc6-vm4h-85cg: Sensitive Information Exposure Through Insecure Logging For Secrets Like Metadata.DockerBuildArgs

Summary

The AWS Serverless Application Model (SAM) CLI is an open source tool that allows customers to build, deploy and test their serverless applications built on AWS. AWS SAM CLI can build container (Docker) images and customers can specify arguments in the SAM template that are passed to the Docker engine during build [1].

Impact

If customers specify sensitive data in the DockerBuildArgs parameter of their template, the sensitive data will be shown in clear text in the AWS SAM CLI output via STDERR when running the sam build command.

Patches

A patch is included in aws-sam-cli>=1.122.0.

We strongly recommend customers install AWS SAM CLI v1.122.0 or above. Please review logs produced by your SAM CLI runs if you have used the DockerBuildArgs parameter and consider rotating the secrets if you believe they were exposed.

References

If you have any questions or comments about this issue, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [2] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

[1] https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-using-build.html#build-container-image

[2] https://aws.amazon.com/security/vulnerability-reporting

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-rjc6-vm4h-85cg

GHSA-rjc6-vm4h-85cg:

4.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
aws-sam-cli	pip	< 1.122.0	1.122.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure logging of DockerBuildArgs during the 'sam build' process. The DockerClient.build function is a core component responsible for executing Docker commands, and it would naturally log the build arguments for debugging. The BuildCommand._build_function orchestrates the build process and would handle parameter propagation. Both are logical points where sensitive data could be leaked via unredacted logging. The confidence is high for DockerClient.build due to its direct role in Docker command execution, and medium for BuildCommand._build_function due to indirect involvement in parameter handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.8

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-rjc6-vm4h-85cg: Sensitive Information Exposure Through Insecure Logging For Secrets Like Metadata.DockerBuildArgs

Summary

Impact

Patches

References

GHSA-rjc6-vm4h-85cg:

4.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-rjc6-vm4h-85cg: Sensitive Information Exposure Through Insecure Logging For Secrets Like Metadata.DockerBuildArgs

Summary

Impact

Patches

References

4.8

4.8

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI