Veracode Vulnerability DatabaseVERACODE:43936Credential Disclosure Through Logs
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
15.7%
github.com/ydb-platform/ydb-go-sdk is vulnerable to Information Disclosure. The vulnerability is due to a custom implementation of the credentials interface. During logging, the credentials are directly serialized into the error message. If an application defines a custom credential interface, an attacker could then steal credentials from the log file.
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/ydb-platform/ydb-go-sdk | le | v3.53.2 | |
| github.com/ydb-platform/ydb-go-sdk | le | v3.53.2 |
References
github.com/advisories/GHSA-q24m-6h38-5xj8
github.com/ydb-platform/ydb-go-sdk/blob/master/credentials/credentials.go#L10
github.com/ydb-platform/ydb-go-sdk/blob/v3.48.6/internal/balancer/balancer.go#L71
github.com/ydb-platform/ydb-go-sdk/commit/a0d92057c4e1bbdc5e85ae8d649edb0232b8fd4c
github.com/ydb-platform/ydb-go-sdk/pull/859
github.com/ydb-platform/ydb-go-sdk/security/advisories/GHSA-q24m-6h38-5xj8
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
15.7%