Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0yNmhyLXEyd3AtcnZjNc4AA3q9

User with permission to write actions can impersonate another user when auth token is configured in environment variable

Impact

When lakeFS is configured with ALL of the following:

Configuration option auth.encrypt.secret_key passed through environment variable
Actions enabled via configuration option actions.enabled (default enabled)

then a user who can configure an action can impersonate any other user.

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

ANY ONE of these is sufficient to prevent the issue:

Do not pass auth.encrypt.secret_key through an environment variable.

For instance, Kubernetes users can generate the entire configuration as a secret and mount that. This is described here.
Disable actions.
Limit users allowed to configure actions.

Permalink: https://github.com/advisories/GHSA-26hr-q2wp-rvc5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yNmhyLXEyd3AtcnZjNc4AA3q9
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago

CVSS Score: 6.2
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

Identifiers: GHSA-26hr-q2wp-rvc5
References:

Repository: https://github.com/treeverse/lakeFS
Blast Radius: 0.0

Affected Packages

go:github.com/treeverse/lakefs

Dependent packages: 1
Dependent repositories: 1
Downloads:
Affected Version Ranges: < 1.3.1
Fixed in: 1.3.1
All affected versions: 0.8.1, 0.8.2, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.16.1, 0.16.2, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.20.1, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.21.4, 0.22.0, 0.22.1, 0.23.0, 0.23.1, 0.30.0, 0.31.0, 0.31.1, 0.31.2, 0.32.0, 0.32.1, 0.33.0, 0.33.1, 0.40.0, 0.40.1, 0.40.2, 0.40.3, 0.41.0, 0.41.1, 0.42.0, 0.43.0, 0.44.0, 0.44.1, 0.45.0, 0.45.1, 0.46.0, 0.47.0, 0.48.0, 0.48.1, 0.49.0, 0.50.0, 0.51.0, 0.52.0, 0.52.1, 0.52.2, 0.53.0, 0.53.1, 0.54.0, 0.55.0, 0.56.0, 0.57.0, 0.57.1, 0.57.2, 0.58.0, 0.58.1, 0.59.0, 0.60.0, 0.60.1, 0.61.0, 0.62.0, 0.63.0, 0.64.0, 0.65.0, 0.66.0, 0.67.0, 0.68.0, 0.69.0, 0.69.1, 0.70.0, 0.70.1, 0.70.2, 0.70.3, 0.70.4, 0.70.5, 0.70.6, 0.80.0, 0.80.1, 0.80.2, 0.82.0, 0.83.0, 0.83.2, 0.83.3, 0.83.4, 0.84.0, 0.85.0, 0.86.0, 0.87.0, 0.87.1, 0.88.0, 0.89.0, 0.90.0, 0.90.1, 0.91.0, 0.92.0, 0.93.0, 0.94.0, 0.94.1, 0.95.0, 0.96.0, 0.96.1, 0.97.0, 0.97.1, 0.97.2, 0.97.3, 0.97.4, 0.97.5, 0.97.6, 0.97.66, 0.97.999, 0.98.0, 0.99.0, 0.99.1, 0.100.0, 0.101.0, 0.101.1, 0.102.0, 0.102.1, 0.102.2, 0.103.0, 0.104.0, 0.105.0, 0.106.0, 0.106.1, 0.106.2, 0.107.0, 0.107.1, 0.108.0, 0.109.0, 0.110.0, 0.111.0, 0.111.1, 0.112.0, 0.112.1, 0.113.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0
All unaffected versions: 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.9.1, 1.10.0, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.13.0, 1.14.0, 1.14.1, 1.15.0, 1.16.0, 1.17.0, 1.18.0, 1.19.0