5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
15.7%
github.com/ydb-platform/ydb-go-sdk is vulnerable to Information Disclosure. The vulnerability is due to a custom implementation of the credentials interface. During logging, the credentials are directly serialized into the error message. If an application defines a custom credential interface, an attacker could then steal credentials from the log file.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/ydb-platform/ydb-go-sdk | le | v3.53.2 | |
github.com/ydb-platform/ydb-go-sdk | le | v3.53.2 |
github.com/advisories/GHSA-q24m-6h38-5xj8
github.com/ydb-platform/ydb-go-sdk/blob/master/credentials/credentials.go#L10
github.com/ydb-platform/ydb-go-sdk/blob/v3.48.6/internal/balancer/balancer.go#L71
github.com/ydb-platform/ydb-go-sdk/commit/a0d92057c4e1bbdc5e85ae8d649edb0232b8fd4c
github.com/ydb-platform/ydb-go-sdk/pull/859
github.com/ydb-platform/ydb-go-sdk/security/advisories/GHSA-q24m-6h38-5xj8