CVE-2023-48225

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-48225

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-48225.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-48225

Related

GHSA-hv2g-gxx4-fwxp

Published

2023-12-12T21:15:08Z

Modified

2025-02-19T03:38:34.637016Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Laf is a cloud development platform. Prior to version 1.0.0-beta.13, the control of LAF app enV is not strict enough, and in certain scenarios of privatization environment, it may lead to sensitive information leakage in secret and configmap. In ES6 syntax, if an obj directly references another obj, the name of the obj itself will be used as the key, and the entire object structure will be integrated intact. When constructing the deployment instance of the app, env was found from the database and directly inserted into the template, resulting in controllability here. Sensitive information in the secret and configmap can be read through the k8s envFrom field. In a privatization environment, when namespaceConf. fixed is marked, it may lead to the leakage of sensitive information in the system. As of time of publication, it is unclear whether any patches or workarounds exist.

References

Affected packages

Git / github.com/labring/laf

Affected ranges

Type: GIT
Repo: https://github.com/labring/laf
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

021cf0e6d6856259f2c039d82cd37b1a19e777c3

Last affected

02dfc7c1298f24b2fe9048ccb3dc7fefa3b6cbea

Last affected

05704ea6434006871e953e473b63c3aa980ab2e0

Last affected

09e04edf73af691ea16e26f2680b67a69921decd

Last affected

0f798e0000a777cec967daf8ee85f15b7afe96cb

Last affected

13601edda3daf1da41cf843847c48f1ba0988e4e

Last affected

140c230e0f85975c83221b679c844efcccba5a97

Last affected

16dc294b187fcec64bb45059fb5596060dcd6f0f

Last affected

17180c2a6611c2edd675f7213b85764412b045a0

Last affected

1d215a4a4fcacfe6e2e53d334b77e30450531d78

Last affected

241941d0b5ad5bac8a3cf5b86747b72216971558

Last affected

24f06258b47f25041e53cc5af74b933e4eaf6504

Last affected

27c3b2bc229a355ac2f92026b2b55c05e1095938

Last affected

28acdd28a42b042505e8f71a637b9ab38cbb3909

Last affected

2a81a0c57dbadd2075bca2766021c867e9209d97

Last affected

38c91dfda7541d71737c269fad0766e06e796ccc

Last affected

3a56a5929cce45c4ad44f359d0b3873df3156cdd

Last affected

4570f9941bf94f61a22e88d26a330f96b1efa67e

Last affected

470e148b69f34a1189693e23ad2e7805c8f4b8e9

Last affected

4db842e0cd8b939b5c0dcbfa2dc1fa4307685773

Last affected

59ed63c2746b276d2779cb208790f7190fba66e7

Last affected

5c4fb544d1d0cd05c84bed92a9e0b027aa3e9dbc

Last affected

6075ce2c8efa49dd450ac5921ec7bd6ffbeefa91

Last affected

6327f527717222bcdc4cb22e83be5d55447ed9d0

Last affected

70141d67dd5a601c4179a02f864629e19d281c1b

Last affected

7121988b75f804e72a161e0a73776288aae2b95f

Last affected

71588cf6caa128c3eaa010f9bb93924268260449

Last affected

7c2db8ed52f5a355e660e713147860b310f4690f

Last affected

7d2f7f9a1e93db7049d1c232d5550f131f950c92

Last affected

7ede517ea9920914cad0ca5cb27bd0f57ca76870

Last affected

7f31231d2948f630b8a00de3e5c4a2dd32d03105

Last affected

84f2bf6d3ed2b955e79d14337623e7dbbd5346cf

Last affected

86133c8116bb505fc66eabe4351fb1b80befc475

Last affected

86f5e2048faccc082bd3f49f50c3e9b24f02ebee

Last affected

88d4e28152ebf0d5eda8c28d4c343496a5048b5b

Last affected

88f71d10adffe752949fdd34a0d9c5e7fc14cfa6

Last affected

8c596b45762bdd797721a579b032fa8688739178

Last affected

8eaba870e2ff055cdb0cd6b7990a4a6536a07846

Last affected

90e7d3e80cc8858995a6a29ed74e69f5b70fea8a

Last affected

9104793c034ea322735616f5e9c1ae8c2629dc56

Last affected

94eeab9eba42a12ba3abe5f0c7f879e970f36d95

Last affected

95cbf750dcbd029d01f2dc6c0295f125e0172b8b

Last affected

9a3f2f292e643b5af18f4365cf3336892ec893f0

Last affected

9a68846bc418a03eface2b8b747dc3cdd810d115

Last affected

a2cecd83e4c549f597fa4c5337638159c33b66e2

Last affected

a9695710e372f9d5b26603c3136a80acc8bcb327

Last affected

aa56a2d7b1e143524a669cfca5d5005ada00afbe

Last affected

acc2e8ee851d41ed5ecda0c9d0b65aaefc1b0466

Last affected

b19c11a6fb5732d996c230fa25103bd4d1d6c26d

Last affected

b1cb02a1aa8196b52de1e9ebae4335400f5fb0e1

Last affected

b3d47dc9ba8d7014143a180d57afd1dd5782f029

Last affected

b74f771b8a7ca26d34f01f45b56c943f40e9cbc1

Last affected

ba553db1f15d45e00507e1afc1a4c69496d425ba

Last affected

bb8464ddb16fd540dbb43e1f7c7f59549ffa6c05

Last affected

bc6a7eaa8fadec55167b495b5c2a1855243faccb

Last affected

bd9961d1e54b8bdd2bafc4b7f0bbdcaf03e8bf49

Last affected

c18c2667a58d56a43f8f723144f196d9516286b3

Last affected

c1d792a24868d51d4c91faaa9e0ab1f19fe6583a

Last affected

c81342e5a883c52fee36bb413958a2454d47c9dd

Last affected

c9ca724a7c90d31ec517d9447e767501f06281e8

Last affected

cb6a2609b87b959bf4e49065b8b45420ccae50ae

Last affected

d20dff021d319e623ee5467c0ea7777de9064400

Last affected

d5277f20971dd2ef759e1d1df7eedc6f4d639940

Last affected

d718d4c86a3c4b796302fd2802f00fe93b35e9a2

Last affected

da4fb4536e7964106a81e304ec61b264514f9f91

Last affected

e10c6de27158f32b3659e171abf099f98b00fb22

Last affected

e13ae9bd3fa73b31cec19142c2ef135717cadbf6

Last affected

e2d45342fd29d24d3b282b6b854b30a41aa6f387

Last affected

e9d52d35c1541173d96be4ef2afcec233fbe5881

Last affected

eb16039746f91e2957a812ca127d5a6ad1547980

Last affected

f1d4ff418af0de82522d598f405dc54bb4441e7f

Last affected

f2defc22284e2c82fefb67a5c7556d95e9088487

Last affected

f469c6a6dc7e68e5df77b168aa18cea557a64c38

Last affected

f4be11b69e205c59a8545e13e6d644ece7d857c6

Last affected

f5b039fa11f412e60b61f280526c72f9918535a7

Last affected

f6975229c72cc25e0fbcd5e89a29ccbe8d0e42f9

Last affected

f6e3161a8ed9b95539d7845b384428ae0e272d4c

Last affected

fdc09b10265964420840d9c4463ea68f21f1330d

Last affected

fe36176c36a8a83d97b0343de9cf4b22e22a162b

Last affected

ffe64b92ea894f32180a7433b976304072da0d80

Affected versions

cloud-function-engine@0.*

cloud-function-engine@0.0.3

cloud-function-engine@0.0.4

cloud-function-engine@0.0.5

cloud-function-engine@0.0.6

cloud-function-engine@0.0.7

cloud-function@0.*

cloud-function@0.0.2

laf-app-server@0.*

laf-app-server@0.2.5

laf-app-server@0.2.6

laf-app-server@0.2.7

laf-app-server@0.2.8

laf-devops-admin@0.*

laf-devops-admin@0.0.2

laf-devops-admin@0.0.3

laf-devops-server@0.*

laf-devops-server@0.0.2

laf-devops-server@0.0.3

laf-devops-server@0.0.4

laf-devops-server@0.0.5

less-api-framework@0.*

less-api-framework@0.2.1

less-api-framework@0.2.2

less-api-framework@0.2.3

less-api-framework@0.2.4

node-modules-utils@0.*

node-modules-utils@0.0.2

node-modules-utils@0.0.3

node-modules-utils@0.0.4

node-modules-utils@0.0.5

node-modules-utils@0.0.6

v0.*

v0.1.5

v0.4.0

v0.4.1

v0.4.10

v0.4.11

v0.4.12

v0.4.13

v0.4.14

v0.4.15

v0.4.16

v0.4.17

v0.4.18

v0.4.19

v0.4.2

v0.4.20

v0.4.21-alpha.0

v0.4.3

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.4.8

v0.4.9

v0.5.0

v0.5.0-alpha.0

v0.5.0-alpha.1

v0.5.0-alpha.2

v0.5.0-alpha.3

v0.5.1

v0.5.1-alpha.0

v0.5.2

v0.5.2-alpha.0

v0.5.3

v0.5.4

v0.5.4-alpha.0

v0.5.5

v0.5.5-alpha.0

v0.5.6

v0.5.7

v0.5.7-alpha.0

v0.5.8-alpha.0

v0.6.0

v0.6.0-alpha.0

v0.6.0-alpha.1

v0.6.0-alpha.10

v0.6.0-alpha.2

v0.6.0-alpha.3

v0.6.0-alpha.4

v0.6.0-alpha.5

v0.6.0-alpha.6

v0.6.0-alpha.7

v0.6.0-alpha.8

v0.6.0-alpha.9

v0.6.1

v0.6.10

v0.6.11

v0.6.12

v0.6.13

v0.6.14

v0.6.15

v0.6.16

v0.6.17

v0.6.18

v0.6.2

v0.6.3

v0.6.4

v0.6.5

v0.6.6

v0.6.7

v0.6.8

v0.6.9