CVE-2023-30610
CVSS V2 None
CVSS V3 None
Description
aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The `aws_sigv4::SigningParams` struct had a derived `Debug` implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is enabled for an SDK, `SigningParams` is printed, thereby revealing those credentials to anyone with access to logs. All users of the AWS SDK for Rust who enabled TRACE-level logging, either globally (e.g. `RUST_LOG=trace`), or for the `aws-sigv4` crate specifically are affected. This issue has been addressed in a set of new releases. Users are advised to upgrade. Users unable to upgrade should disable TRACE-level logging for AWS Rust SDK crates.
Overview
- CVE ID
- CVE-2023-30610
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Undergoing Analysis
- Published Version
- 2023-04-19T18:15:07
- Last Modified Date
- 2023-04-19T19:52:18
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/awslabs/aws-sdk-rust/security/advisories/GHSA-mjv9-vp6w-3rc9 |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-30610 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30610 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2023-04-19 19:00:48 | Added to TrackCVE | |||
| 2023-04-19 19:00:50 | Weakness Enumeration | new | ||
| 2023-04-19 20:01:33 | 2023-04-19T19:52:18 | CVE Modified Date | updated | |
| 2023-04-19 20:01:33 | Received | Awaiting Analysis | Vulnerability Status | updated |
| 2023-04-26 11:01:03 | Awaiting Analysis | Undergoing Analysis | Vulnerability Status | updated |