Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nOHhtLXAyaDQtdjZqcM4AAyRi
OpenShift Assisted Installer leaks image pull secrets as plaintext in installation logs
A vulnerability was found in OpenShift Assisted Installer. During generation of the Discovery ISO, image pull secrets were leaked as plaintext in the installation logs. An authenticated user could exploit this by re-using the image pull secret to pull container images from the registry as the associated user.
Permalink: https://github.com/advisories/GHSA-g8xm-p2h4-v6jpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nOHhtLXAyaDQtdjZqcM4AAyRi
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-g8xm-p2h4-v6jp, CVE-2021-3684
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3684
- https://github.com/openshift/assisted-installer/commit/2403dad3795406f2c5d923af0894e07bc8b0bdc4
- https://github.com/openshift/assisted-installer/commit/f3800cfa3d64ce6dcd6f7b73f0578bb99bfdaf7a
- https://bugzilla.redhat.com/show_bug.cgi?id=1985962
- https://github.com/advisories/GHSA-g8xm-p2h4-v6jp
Blast Radius: 0.0
Affected Packages
go:github.com/openshift/assisted-installer
Dependent packages: 1Dependent repositories: 1
Downloads:
Affected Version Ranges: < 1.0.25.1
Fixed in: 1.0.25.1
All affected versions:
All unaffected versions: 1.0.9