CVE-2021-3528 — Insufficiently Protected Credentials in Redhat Noobaa-operator

CWE-522 — Insufficiently Protected Credentials CWE-532 — Log File Information Exposure4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.3%

top 43.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Noobaa-operator

Timeline

PublishedMay 13

Latest updateMay 24

Description

A flaw was found in noobaa-operator in versions before 5.7.0, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. An attacker with access to the log files could use this AuthToken to gain additional access into noobaa deployment and can read/modify system configuration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDredhat/noobaa-operator< 5.7.0

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-3q58-8ch7-h333: A flaw was found in noobaa-operator in versions before 5↗2022-05-24

▶

CVEList

CVE-2021-3528: A flaw was found in noobaa-operator in versions before 5↗2021-05-13

▶

📋Vendor Advisories

Red Hat

NooBaa: noobaa-operator leaking RPC AuthToken into log files↗2021-03-07

▶