GHSA-26hr-q2wp-rvc5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-26hr-q2wp-rvc5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-26hr-q2wp-rvc5/GHSA-26hr-q2wp-rvc5.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-26hr-q2wp-rvc5
- Aliases
- Published
- 2023-12-12T00:58:04Z
- Modified
- 2024-08-21T14:57:42.961331Z
- Severity
-
- 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
- Summary
- User with permission to write actions can impersonate another user when auth token is configured in environment variable
- Details
-
Impact
When lakeFS is configured with ALL of the following:
- Configuration option
auth.encrypt.secret_keypassed through environment variable - Actions enabled via configuration option
actions.enabled(default enabled)
then a user who can configure an action can impersonate any other user.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
ANY ONE of these is sufficient to prevent the issue:
Do not pass
auth.encrypt.secret_keythrough an environment variable.For instance, Kubernetes users can generate the entire configuration as a secret and mount that. This is described here.
- Disable actions.
- Limit users allowed to configure actions.
- Configuration option
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-12-12T00:58:04Z" }- References
Affected packages
Go / github.com/treeverse/lakefs
Package
- Name
- github.com/treeverse/lakefs
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/treeverse/lakefs