GHSA-MJV9-VP6W-3RC9
Vulnerability from github – Published: 2023-04-26 16:01 – Updated: 2025-02-05 16:42
VLAI?
Summary
AWS SDK for Rust will log AWS credentials when TRACE-level logging is enabled for request sending
Details
The aws_sigv4::SigningParams struct had a derived Debug implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is enabled for an SDK, SigningParams is printed, thereby revealing those credentials to anyone with access to logs.
Impact
All users of the AWS SDK for Rust who enabled TRACE-level logging, either globally (e.g. RUST_LOG=trace), or for the aws-sigv4 crate specifically.
Patches
- Versions >=
0.55.1 0.54.20.53.20.52.10.51.10.50.10.49.10.48.10.47.10.46.10.15.10.14.10.13.10.12.10.11.10.10.20.9.10.8.10.7.10.6.10.5.30.3.10.2.1
Workarounds
Disable TRACE-level logging for AWS Rust SDK crates.
Severity ?
5.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.55.0"
},
{
"fixed": "0.55.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.55.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.54.1"
},
{
"fixed": "0.54.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.54.1"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.53.1"
},
{
"fixed": "0.53.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.53.1"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.52.0"
},
{
"fixed": "0.52.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.52.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.51.0"
},
{
"fixed": "0.51.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.51.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.49.0"
},
{
"fixed": "0.49.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.49.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.48.0"
},
{
"fixed": "0.48.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.48.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.47.0"
},
{
"fixed": "0.47.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.47.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.46.0"
},
{
"fixed": "0.46.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.46.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.15.0"
},
{
"fixed": "0.15.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.15.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.14.0"
},
{
"fixed": "0.14.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.14.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.13.0"
},
{
"fixed": "0.13.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.13.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.12.0"
},
{
"fixed": "0.12.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.12.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.11.0"
},
{
"fixed": "0.11.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.11.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.10.1"
},
{
"fixed": "0.10.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.10.1"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.9.0"
},
{
"fixed": "0.9.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.9.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "0.8.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.8.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.7.0"
},
{
"fixed": "0.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.7.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.0"
},
{
"fixed": "0.6.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.6.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.5.2"
},
{
"fixed": "0.5.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.5.2"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.4.1"
},
{
"fixed": "0.4.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.4.1"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.0"
},
{
"fixed": "0.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.3.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "aws-sigv4"
},
"ranges": [
{
"events": [
{
"introduced": "0.2.0"
},
{
"fixed": "0.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.2.0"
]
}
],
"aliases": [
"CVE-2023-30610"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-26T16:01:10Z",
"nvd_published_at": "2023-04-19T18:15:07Z",
"severity": "MODERATE"
},
"details": "The `aws_sigv4::SigningParams` struct had a derived `Debug` implementation. When debug-formatted, it would include a user\u0027s AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is enabled for an SDK, `SigningParams` is printed, thereby revealing those credentials to anyone with access to logs.\n\n### Impact\nAll users of the AWS SDK for Rust who enabled TRACE-level logging, either globally (e.g. `RUST_LOG=trace`), or for the `aws-sigv4` crate specifically.\n\n### Patches\n- Versions \u003e= `0.55.1`\n- `0.54.2`\n- `0.53.2`\n- `0.52.1`\n- `0.51.1`\n- `0.50.1`\n- `0.49.1`\n- `0.48.1`\n- `0.47.1`\n- `0.46.1`\n- `0.15.1`\n- `0.14.1`\n- `0.13.1`\n- `0.12.1`\n- `0.11.1`\n- `0.10.2`\n- `0.9.1`\n- `0.8.1`\n- `0.7.1`\n- `0.6.1`\n- `0.5.3`\n- `0.3.1`\n- `0.2.1`\n\n### Workarounds\nDisable TRACE-level logging for AWS Rust SDK crates.",
"id": "GHSA-mjv9-vp6w-3rc9",
"modified": "2025-02-05T16:42:43Z",
"published": "2023-04-26T16:01:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/awslabs/aws-sdk-rust/security/advisories/GHSA-mjv9-vp6w-3rc9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30610"
},
{
"type": "PACKAGE",
"url": "https://github.com/awslabs/aws-sdk-rust"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "AWS SDK for Rust will log AWS credentials when TRACE-level logging is enabled for request sending"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…