CVE-2023-30610
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-30610
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-30610.json
- Aliases
- Published
- 2023-04-19T18:15:07Z
- Modified
- 2023-11-29T20:26:17.507838Z
- Details
-
aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The
aws_sigv4::SigningParamsstruct had a derivedDebugimplementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is enabled for an SDK,SigningParamsis printed, thereby revealing those credentials to anyone with access to logs. All users of the AWS SDK for Rust who enabled TRACE-level logging, either globally (e.g.RUST_LOG=trace), or for theaws-sigv4crate specifically are affected. This issue has been addressed in a set of new releases. Users are advised to upgrade. Users unable to upgrade should disable TRACE-level logging for AWS Rust SDK crates. - References
Affected packages
Git / github.com/awslabs/aws-sdk-rust
Affected ranges
- Type
- GIT
- Repo
- https://github.com/awslabs/aws-sdk-rust
- Events
-
Introduced0The exact introduced commit is unknownLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affected
Affected versions
v0.*
v0.0.1-alpha
v0.0.10-alpha
v0.0.11-alpha
v0.0.12-alpha
v0.0.13-alpha
v0.0.14-alpha
v0.0.15-alpha
v0.0.16-alpha
v0.0.17-alpha
v0.0.18-alpha
v0.0.19-alpha
v0.0.2-alpha
v0.0.20-alpha
v0.0.21-alpha
v0.0.22-alpha
v0.0.23-alpha
v0.0.24-alpha
v0.0.25-alpha
v0.0.26-alpha
v0.0.3-alpha
v0.0.4-alpha
v0.0.5-alpha
v0.0.6-alpha
v0.0.7-alpha
v0.0.8-alpha
v0.0.9-alpha
v0.1.0
v0.2.0