GHSA-mjv9-vp6w-3rc9
- Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-mjv9-vp6w-3rc9/GHSA-mjv9-vp6w-3rc9.json
- Aliases
-
- CVE-2023-30610
- Published
- 2023-04-26T16:01:10Z
- Modified
- 2023-04-26T16:01:10Z
- Details
-
The
aws_sigv4::SigningParamsstruct had a derivedDebugimplementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is enabled for an SDK,SigningParamsis printed, thereby revealing those credentials to anyone with access to logs.Impact
All users of the AWS SDK for Rust who enabled TRACE-level logging, either globally (e.g.
RUST_LOG=trace), or for theaws-sigv4crate specifically.Patches
- Versions >=
0.55.1 0.54.20.53.20.52.10.51.10.50.10.49.10.48.10.47.10.46.10.15.10.14.10.13.10.12.10.11.10.10.20.9.10.8.10.7.10.6.10.5.30.3.10.2.1
Workarounds
Disable TRACE-level logging for AWS Rust SDK crates.
- Versions >=
- References
Affected packages
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4
crates.io / aws-sigv4
aws-sigv4