CVE-2024-41178

CWE-532Log File Information Exposure5 documents4 sources
Severity
7.5HIGH
EPSS
0.3%
top 47.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache Arrow Rust Object StoreApache Arrow
Timeline
PublishedJul 23

Description

Exposure of temporary credentials in logs in Apache Arrow Rust Object Store (`object_store` crate), version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens. On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html . This allows someone with access to the logs to impersonate that identity, including performing their own calls to AssumeRoleWithWebIdent

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

crates.ioobject_store0.5.00.10.2
NVDapache/arrow0.5.00.10.1

🔴Vulnerability Details

4
OSV
Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files2024-07-23
OSV
Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files2024-07-23
CVEList
Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files2024-07-23
GHSA
Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files2024-07-23
CVE-2024-41178 (HIGH CVSS 7.5) | Exposure of temporary credentials i | cvebase.io