CVE-2023-24619 - Vulnerability Details - OpenCVE

Redpanda before 22.3.12 discloses cleartext AWS credentials. The import functionality in the rpk binary logs an AWS Access Key ID and Secret in cleartext to standard output, allowing a local user to view the key in the console, or in Kubernetes logs if stdout output is collected. The fixed versions are 22.3.12, 22.2.10, and 22.1.12.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redpanda	Redpanda

Configuration 1 [-]

OR	cpe:2.3:a:redpanda:redpanda::::::::
	cpe:2.3:a:redpanda:redpanda::::::::
	cpe:2.3:a:redpanda:redpanda::::::::

No data.

References

Link	Providers
https://github.com/redpanda-data/redpanda/pull/8339

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-02-13T00:00:00

Updated: 2024-08-02T11:03:18.966Z

Reserved: 2023-01-30T00:00:00

Link: CVE-2023-24619

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-02-13T19:15:11.170

Modified: 2024-11-21T07:48:14.613

Link: CVE-2023-24619

Redhat

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redpanda:redpanda:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A490345-C476-45B6-B5F8-9C655D972701", "versionEndExcluding": "22.1.12", "versionStartIncluding": "22.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redpanda:redpanda:*:*:*:*:*:*:*:*", "matchCriteriaId": "E28A2FDE-6433-4226-8C51-D691F15B4421", "versionEndExcluding": "22.2.10", "versionStartIncluding": "22.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redpanda:redpanda:*:*:*:*:*:*:*:*", "matchCriteriaId": "590B94B7-4DA5-48BE-A406-77A44C5106DD", "versionEndExcluding": "22.3.12", "versionStartIncluding": "22.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Redpanda before 22.3.12 discloses cleartext AWS credentials. The import functionality in the rpk binary logs an AWS Access Key ID and Secret in cleartext to standard output, allowing a local user to view the key in the console, or in Kubernetes logs if stdout output is collected. The fixed versions are 22.3.12, 22.2.10, and 22.1.12."}, {"lang": "es", "value": "Redpanda antes del 22.3.12 divulga las credenciales de AWS en texto plano. La funcionalidad de importaci\u00f3n en el binario rpk registra un ID de clave de acceso de AWS y un secreto en texto plano en la salida est\u00e1ndar, lo que permite a un usuario local ver la clave en la consola o en los registros de Kubernetes si se recopila la salida est\u00e1ndar. Las versiones fijas son 22.3.12, 22.2.10 y 22.1.12."}], "id": "CVE-2023-24619", "lastModified": "2024-11-21T07:48:14.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-13T19:15:11.170", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/redpanda-data/redpanda/pull/8339"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/redpanda-data/redpanda/pull/8339"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}