blob: 16666269b7e7c45f2b7a5b3b580685d391e03bf1 [file] [log] [blame]
id: GO-2023-2137
modules:
- module: github.com/ydb-platform/ydb-go-sdk/v3
versions:
- introduced: 3.48.6
- fixed: 3.53.3
vulnerable_at: 3.53.2
packages:
- package: github.com/ydb-platform/ydb-go-sdk/v3
symbols:
- connect
derived_symbols:
- Connector
- Driver.Close
- Driver.Coordination
- Driver.Discovery
- Driver.Ratelimiter
- Driver.Scheme
- Driver.Scripting
- Driver.Table
- Driver.Topic
- Driver.With
- IsTimeoutError
- IsTransportError
- MustConnector
- MustOpen
- New
- Open
- Unwrap
- WithAccessTokenCredentials
- WithAnonymousCredentials
- WithCertificatesFromFile
- WithRequestType
- WithTraceID
- initOnce.Close
- initOnce.Init
- sqlDriver.OpenConnector
- package: github.com/ydb-platform/ydb-go-sdk/v3/credentials
symbols:
- NewAccessTokenCredentials
- NewAnonymousCredentials
- staticCredentialsConfig.Endpoint
- staticCredentialsConfig.GrpcDialOptions
- NewStaticCredentials
- WithSourceInfo
- package: github.com/ydb-platform/ydb-go-sdk/v3/internal/balancer
symbols:
- Balancer.clusterDiscovery
- Balancer.wrapCall
derived_symbols:
- Balancer.Invoke
- Balancer.NewStream
- New
- package: github.com/ydb-platform/ydb-go-sdk/v3/internal/conn
symbols:
- WithAfterFunc
- package: github.com/ydb-platform/ydb-go-sdk/v3/internal/credentials
symbols:
- NewAccessTokenCredentials
- AccessToken.String
- NewAnonymousCredentials
- Anonymous.String
- WithSourceInfo
- NewStaticCredentials
- Static.String
summary: Credentials leak in github.com/ydb-platform/ydb-go-sdk/v3
description: |-
A custom credentials object that does not implement the fmt.Stringer interface
may leak sensitive information (e.g., credentials) via logs.
cves:
- CVE-2023-45825
ghsas:
- GHSA-q24m-6h38-5xj8
references:
- advisory: https://github.com/ydb-platform/ydb-go-sdk/security/advisories/GHSA-q24m-6h38-5xj8
- fix: https://github.com/ydb-platform/ydb-go-sdk/pull/859
- fix: https://github.com/ydb-platform/ydb-go-sdk/commit/a0d92057c4e1bbdc5e85ae8d649edb0232b8fd4c
review_status: REVIEWED