CVE-2021-3684 – github.com/openshift/assisted-installer

Package

Manager: go
Name: github.com/openshift/assisted-installer
Vulnerable Version: >=0 <1.0.25.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00044 pctl0.12545

Details

OpenShift Assisted Installer leaks image pull secrets as plaintext in installation logs A vulnerability was found in OpenShift Assisted Installer. During generation of the Discovery ISO, image pull secrets were leaked as plaintext in the installation logs. An authenticated user could exploit this by re-using the image pull secret to pull container images from the registry as the associated user.

Metadata

Created: 2023-03-24T21:30:48Z
Modified: 2023-04-04T15:24:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-g8xm-p2h4-v6jp/GHSA-g8xm-p2h4-v6jp.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-g8xm-p2h4-v6jp
Finding: F028
Auto approve: 1