| id: GO-2023-1497 |
| modules: |
| - module: github.com/sylabs/scs-library-client |
| versions: |
| - fixed: 1.3.4 |
| vulnerable_at: 1.3.3 |
| packages: |
| - package: github.com/sylabs/scs-library-client/client |
| symbols: |
| - Client.httpGetRangeRequest |
| derived_symbols: |
| - Client.ConcurrentDownloadImage |
| - Client.UploadImage |
| - module: github.com/sylabs/scs-library-client |
| versions: |
| - introduced: 1.4.0 |
| fixed: 1.4.2 |
| vulnerable_at: 1.4.1 |
| packages: |
| - package: github.com/sylabs/scs-library-client/client |
| symbols: |
| - Client.legacyDownloadImage |
| derived_symbols: |
| - Client.ConcurrentDownloadImage |
| summary: Leaked user credentials in github.com/sylabs/scs-library-client |
| description: |- |
| When the scs-library-client is used to pull a container image, with |
| authentication, the HTTP Authorization header sent by the client to the library |
| service may be incorrectly leaked to an S3 backing storage provider. |
| cves: |
| - CVE-2022-23538 |
| ghsas: |
| - GHSA-7p8m-22h4-9pj7 |
| references: |
| - fix: https://github.com/sylabs/scs-library-client/commit/68ac4cab5cda0afd8758ff5b5e2e57be6a22fcfa |
| - fix: https://github.com/sylabs/scs-library-client/commit/eebd7caaab310b1fa803e55b8fc1acd9dcd2d00c |
| review_status: REVIEWED |