data/reports/GO-2023-1497.yaml - vulndb - Git at Google

 id: GO-2023-1497
 modules:
     - module: github.com/sylabs/scs-library-client
       versions:
         - fixed: 1.3.4
       vulnerable_at: 1.3.3
       packages:
         - package: github.com/sylabs/scs-library-client/client
           symbols:
             - Client.httpGetRangeRequest
           derived_symbols:
             - Client.ConcurrentDownloadImage
             - Client.UploadImage
     - module: github.com/sylabs/scs-library-client
       versions:
         - introduced: 1.4.0
           fixed: 1.4.2
       vulnerable_at: 1.4.1
       packages:
         - package: github.com/sylabs/scs-library-client/client
           symbols:
             - Client.legacyDownloadImage
           derived_symbols:
             - Client.ConcurrentDownloadImage
 summary: Leaked user credentials in github.com/sylabs/scs-library-client
 description: |-
     When the scs-library-client is used to pull a container image, with
     authentication, the HTTP Authorization header sent by the client to the library
     service may be incorrectly leaked to an S3 backing storage provider.
 cves:
     - CVE-2022-23538
 ghsas:
     - GHSA-7p8m-22h4-9pj7
 references:
     - fix: https://github.com/sylabs/scs-library-client/commit/68ac4cab5cda0afd8758ff5b5e2e57be6a22fcfa
     - fix: https://github.com/sylabs/scs-library-client/commit/eebd7caaab310b1fa803e55b8fc1acd9dcd2d00c
	id: GO-2023-1497
	modules:
	- module: github.com/sylabs/scs-library-client
	versions:
	- fixed: 1.3.4
	vulnerable_at: 1.3.3
	packages:
	- package: github.com/sylabs/scs-library-client/client
	symbols:
	- Client.httpGetRangeRequest
	derived_symbols:
	- Client.ConcurrentDownloadImage
	- Client.UploadImage
	- module: github.com/sylabs/scs-library-client
	versions:
	- introduced: 1.4.0
	fixed: 1.4.2
	vulnerable_at: 1.4.1
	packages:
	- package: github.com/sylabs/scs-library-client/client
	symbols:
	- Client.legacyDownloadImage
	derived_symbols:
	- Client.ConcurrentDownloadImage
	summary: Leaked user credentials in github.com/sylabs/scs-library-client
	description: \|-
	When the scs-library-client is used to pull a container image, with
	authentication, the HTTP Authorization header sent by the client to the library
	service may be incorrectly leaked to an S3 backing storage provider.
	cves:
	- CVE-2022-23538
	ghsas:
	- GHSA-7p8m-22h4-9pj7
	references:
	- fix: https://github.com/sylabs/scs-library-client/commit/68ac4cab5cda0afd8758ff5b5e2e57be6a22fcfa
	- fix: https://github.com/sylabs/scs-library-client/commit/eebd7caaab310b1fa803e55b8fc1acd9dcd2d00c