GO-2023-2137

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2023-2137

Import Source

https://vuln.go.dev/ID/GO-2023-2137.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2023-2137

Aliases

Published

2023-10-24T20:27:41Z

Modified

2024-05-20T16:03:47Z

Summary

Credentials leak in github.com/ydb-platform/ydb-go-sdk/v3

Details

A custom credentials object that does not implement the fmt.Stringer interface may leak sensitive information (e.g., credentials) via logs.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2023-2137"
}

References

Affected packages

Go / github.com/ydb-platform/ydb-go-sdk/v3

Package

Name: github.com/ydb-platform/ydb-go-sdk/v3; View open source insights on deps.dev
Purl: pkg:golang/github.com/ydb-platform/ydb-go-sdk/v3

Affected ranges

Type: SEMVER
Events: Introduced

3.48.6

Fixed

3.53.3

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/ydb-platform/ydb-go-sdk/v3",
            "symbols": [
                "Connector",
                "Driver.Close",
                "Driver.Coordination",
                "Driver.Discovery",
                "Driver.Ratelimiter",
                "Driver.Scheme",
                "Driver.Scripting",
                "Driver.Table",
                "Driver.Topic",
                "Driver.With",
                "IsTimeoutError",
                "IsTransportError",
                "MustConnector",
                "MustOpen",
                "New",
                "Open",
                "Unwrap",
                "WithAccessTokenCredentials",
                "WithAnonymousCredentials",
                "WithCertificatesFromFile",
                "WithRequestType",
                "WithTraceID",
                "connect",
                "initOnce.Close",
                "initOnce.Init",
                "sqlDriver.OpenConnector"
            ]
        },
        {
            "path": "github.com/ydb-platform/ydb-go-sdk/v3/credentials",
            "symbols": [
                "NewAccessTokenCredentials",
                "NewAnonymousCredentials",
                "NewStaticCredentials",
                "WithSourceInfo",
                "staticCredentialsConfig.Endpoint",
                "staticCredentialsConfig.GrpcDialOptions"
            ]
        },
        {
            "path": "github.com/ydb-platform/ydb-go-sdk/v3/internal/balancer",
            "symbols": [
                "Balancer.Invoke",
                "Balancer.NewStream",
                "Balancer.clusterDiscovery",
                "Balancer.wrapCall",
                "New"
            ]
        },
        {
            "path": "github.com/ydb-platform/ydb-go-sdk/v3/internal/conn",
            "symbols": [
                "WithAfterFunc"
            ]
        },
        {
            "path": "github.com/ydb-platform/ydb-go-sdk/v3/internal/credentials",
            "symbols": [
                "AccessToken.String",
                "Anonymous.String",
                "NewAccessTokenCredentials",
                "NewAnonymousCredentials",
                "NewStaticCredentials",
                "Static.String",
                "WithSourceInfo"
            ]
        }
    ]
}

Database specific

source

"https://vuln.go.dev/ID/GO-2023-2137.json"