CVE-2022-23538Insufficiently Protected Credentials in Scs-library-client

CWE-522Insufficiently Protected CredentialsCWE-601Open Redirect6 documents4 sources
Severity
7.6HIGHNVD
EPSS
0.4%
top 40.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Sylabs Scs-library-clientGithub.com Sylabs Scs-library-clientDebian Singularity-container+1 more
Timeline
PublishedJan 17
Latest updateFeb 1

Description

github.com/sylabs/scs-library-client is the Go client for the Singularity Container Services (SCS) Container Library Service. When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider. This occurs in a specific flow, where the library service redirects the client to a backing S3 storage server, to perform a multi-part concurrent download. D

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:NExploitability: 2.3 | Impact: 4.7

Affected Packages4 packages

CVEListV5sylabs/scs-library-client< 1.34+1
debiandebian/singularity-container< singularity-container 3.11.0+ds1-1 (sid)

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Leaked user credentials in github.com/sylabs/scs-library-client2023-02-01
OSV
scs-library-client may leak user credentials to third-party service via HTTP redirect2023-01-20
GHSA
scs-library-client may leak user credentials to third-party service via HTTP redirect2023-01-20
OSV
CVE-2022-23538: github2023-01-17

📋Vendor Advisories

1
Debian
CVE-2022-23538: singularity-container - github.com/sylabs/scs-library-client is the Go client for the Singularity Contai...2022