GHSA-rjc6-vm4h-85cg

Suggest an improvement
Source
https://github.com/advisories/GHSA-rjc6-vm4h-85cg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-rjc6-vm4h-85cg/GHSA-rjc6-vm4h-85cg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rjc6-vm4h-85cg
Published
2024-09-11T19:20:57Z
Modified
2024-09-11T19:30:51.139136Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
  • 5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Sensitive Information Exposure Through Insecure Logging For Secrets Like Metadata.DockerBuildArgs
Details

Summary

The AWS Serverless Application Model (SAM) CLI is an open source tool that allows customers to build, deploy and test their serverless applications built on AWS. AWS SAM CLI can build container (Docker) images and customers can specify arguments in the SAM template that are passed to the Docker engine during build [1].

Impact

If customers specify sensitive data in the DockerBuildArgs parameter of their template, the sensitive data will be shown in clear text in the AWS SAM CLI output via STDERR when running the sam build command.

Patches

A patch is included in aws-sam-cli>=1.122.0.

We strongly recommend customers install AWS SAM CLI v1.122.0 or above. Please review logs produced by your SAM CLI runs if you have used the DockerBuildArgs parameter and consider rotating the secrets if you believe they were exposed.

References

If you have any questions or comments about this issue, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [2] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

[1] https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-using-build.html#build-container-image

[2] https://aws.amazon.com/security/vulnerability-reporting

References

Affected packages

PyPI / aws-sam-cli

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.122.0

Affected versions

0.*

0.3.0
0.4.0
0.5.0
0.6.0
0.6.1
0.6.2
0.7.0
0.8.0
0.8.1
0.9.0
0.10.0
0.11.0
0.12.0
0.13.0
0.14.0
0.14.1
0.14.2
0.15.0
0.16.0
0.16.1
0.17.0
0.18.0
0.19.0
0.20.0
0.20.1
0.21.0
0.22.0
0.23.0
0.30.0
0.31.0
0.31.1
0.32.0
0.33.1
0.34.0
0.35.0
0.36.0
0.37.0
0.38.0
0.39.0
0.40.0
0.41.0
0.42.0
0.43.0
0.44.0
0.45.0
0.46.0
0.46.1
0.46.2
0.47.0
0.48.0
0.49.0
0.50.0
0.51.0
0.52.0
0.53.0

1.*

1.0.0rc1
1.0.0rc2
1.0.0
1.1.0
1.2.0
1.3.0
1.3.2
1.4.0
1.6.0
1.6.2
1.7.0
1.8.0
1.9.0
1.10.0
1.11.0
1.12.0
1.13.1
1.13.2
1.14.0
1.15.0
1.16.0
1.17.0
1.18.0
1.18.1
1.18.2
1.19.0
1.19.1
1.20.0
1.21.0
1.21.1
1.22.0
1.23.0
1.24.0
1.24.1
1.25.0
1.26.0
1.27.0
1.27.1
1.27.2
1.28.0
1.29.0
1.30.0
1.31.0
1.32.0
1.33.0
1.34.1
1.35.0
1.36.0
1.37.0
1.38.0
1.38.1
1.39.0
1.40.0
1.40.1
1.41.0
1.42.0
1.43.0
1.44.0
1.45.0
1.46.0
1.47.0
1.48.0
1.49.0
1.50.0
1.51.0
1.52.0
1.53.0
1.54.0
1.55.0
1.56.0
1.56.1
1.57.0
1.58.0
1.59.0
1.60.0
1.61.0
1.62.0
1.63.0
1.64.0
1.65.0
1.66.0
1.67.0
1.68.0
1.69.0
1.70.0
1.70.1
1.71.0
1.72.0
1.73.0
1.74.0
1.75.0
1.76.0
1.77.0
1.78.0
1.79.0
1.80.0
1.81.0
1.82.0
1.83.0
1.84.0
1.85.0
1.86.0
1.86.1
1.87.0
1.88.0
1.89.0
1.90.0
1.91.0
1.92.0
1.93.0
1.94.0
1.95.0
1.96.0
1.97.0
1.98.0
1.99.0
1.100.0
1.101.0
1.102.0
1.103.0
1.104.0
1.105.0
1.106.0
1.107.0
1.108.0
1.109.0
1.110.0
1.111.0
1.112.0
1.113.0
1.114.0
1.115.0
1.116.0
1.117.0
1.118.0
1.119.0
1.120.0
1.121.0