Strix
26.1K

CVE-2023-30610

MEDIUMCVSS 5.5/10EPSS 0.22%

Last modified

CVE-2023-30610 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The `aws_sigv4::SigningParams` struct had a derived `Debug` implementation. EPSS estimates a 0.22% chance of exploitation in the next 30 days.

Description

aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The `aws_sigv4::SigningParams` struct had a derived `Debug` implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is enabled for an SDK, `SigningParams` is printed, thereby revealing those credentials to anyone with access to logs. All users of the AWS SDK for Rust who enabled TRACE-level logging, either globally (e.g. `RUST_LOG=trace`), or for the `aws-sigv4` crate specifically are affected. This issue has been addressed in a set of new releases. Users are advised to upgrade. Users unable to upgrade should disable TRACE-level logging for AWS Rust SDK crates.

Metrics

CVSS 3.1
5.5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability
0.22%

12.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
AmazonAws-Sigv40.2.0
AmazonAws-Sigv40.3.0
AmazonAws-Sigv40.4.1
AmazonAws-Sigv40.5.2
AmazonAws-Sigv40.6.0
AmazonAws-Sigv40.7.0
AmazonAws-Sigv40.8.0
AmazonAws-Sigv40.9.0
AmazonAws-Sigv40.10.1
AmazonAws-Sigv40.11.0
AmazonAws-Sigv40.12.0
AmazonAws-Sigv40.13.0
AmazonAws-Sigv40.14.0
AmazonAws-Sigv40.15.0
AmazonAws-Sigv40.46.0
AmazonAws-Sigv40.47.0
AmazonAws-Sigv40.48.0
AmazonAws-Sigv40.49.0
AmazonAws-Sigv40.50.0
AmazonAws-Sigv40.51.0
AmazonAws-Sigv40.52.0
AmazonAws-Sigv40.53.1
AmazonAws-Sigv40.54.1
AmazonAws-Sigv40.55.0

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-30610?
aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The `aws_sigv4::SigningParams` struct had a derived `Debug` implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is enabled for an SDK, `SigningParams` is printed, thereby revealing those credentials to anyone with access to logs. All users of the AWS SDK for Rust who enabled TRACE-level logging, either globally (e.g. `RUST_LOG=trace`), or for the `aws-sigv4` crate specifically are affected. This issue has been addressed in a set of new releases. Users are advised to upgrade. Users unable to upgrade should disable TRACE-level logging for AWS Rust SDK crates.
How severe is CVE-2023-30610?
CVE-2023-30610 has a CVSS score of 5.5/10 (MEDIUM severity). The EPSS model estimates a 0.22% probability of exploitation in the next 30 days.
How do I fix CVE-2023-30610?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-30610?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST