CVE-2023-24619
Last modified
CVE-2023-24619 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. Redpanda before 22.3.12 discloses cleartext AWS credentials. The import functionality in the rpk binary logs an AWS Access Key ID and Secret in cleartext to standard output, allowing a local user to view the key in the console, or in Kubernetes logs if stdout output is collected. EPSS estimates a 0.27% chance of exploitation in the next 30 days.
Description
Redpanda before 22.3.12 discloses cleartext AWS credentials. The import functionality in the rpk binary logs an AWS Access Key ID and Secret in cleartext to standard output, allowing a local user to view the key in the console, or in Kubernetes logs if stdout output is collected. The fixed versions are 22.3.12, 22.2.10, and 22.1.12.
Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Redpanda | Redpanda | >= 22.1.0, < 22.1.12 |
| Redpanda | Redpanda | >= 22.2.0, < 22.2.10 |
| Redpanda | Redpanda | >= 22.3.0, < 22.3.12 |
References
- https://github.com/redpanda-data/redpanda/pull/8339Exploit, Patch, Vendor Advisory
- https://github.com/redpanda-data/redpanda/pull/8339Exploit, Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-24619?
How severe is CVE-2023-24619?
How do I fix CVE-2023-24619?
Are you affected by CVE-2023-24619?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST