blob: 0ca32f7d5be0d3829121d9cb0ae10f3769a9a26a [file] [log] [blame]
id: GO-2023-1497
modules:
- module: github.com/sylabs/scs-library-client
versions:
- fixed: 1.3.4
vulnerable_at: 1.3.3
packages:
- package: github.com/sylabs/scs-library-client/client
symbols:
- Client.httpGetRangeRequest
derived_symbols:
- Client.ConcurrentDownloadImage
- Client.UploadImage
- module: github.com/sylabs/scs-library-client
versions:
- introduced: 1.4.0
fixed: 1.4.2
vulnerable_at: 1.4.1
packages:
- package: github.com/sylabs/scs-library-client/client
symbols:
- Client.legacyDownloadImage
derived_symbols:
- Client.ConcurrentDownloadImage
summary: Leaked user credentials in github.com/sylabs/scs-library-client
description: |-
When the scs-library-client is used to pull a container image, with
authentication, the HTTP Authorization header sent by the client to the library
service may be incorrectly leaked to an S3 backing storage provider.
cves:
- CVE-2022-23538
ghsas:
- GHSA-7p8m-22h4-9pj7
references:
- fix: https://github.com/sylabs/scs-library-client/commit/68ac4cab5cda0afd8758ff5b5e2e57be6a22fcfa
- fix: https://github.com/sylabs/scs-library-client/commit/eebd7caaab310b1fa803e55b8fc1acd9dcd2d00c
review_status: REVIEWED