Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qcDd2LTM1ODctMjk1Ns4AAxfm
Credential disclosure in syft when SYFT_ATTEST_PASSWORD environment variable set
A password disclosure flaw was found in Syft versions v0.69.0 and v0.69.1. This flaw leaks the password stored in the SYFT_ATTEST_PASSWORD environment variable.
Impact
The SYFT_ATTEST_PASSWORD
environment variable is for the syft attest
command to generate attested SBOMs for the given container image. This environment variable is used to decrypt the private key (provided with syft attest --key <path-to-key-file>
) during the signing process while generating an SBOM attestation.
This vulnerability affects users running syft that have the SYFT_ATTEST_PASSWORD
environment variable set with credentials (regardless of if the attest command is being used or not). Users that do not have the environment variable SYFT_ATTEST_PASSWORD
set are not affected by this issue.
The credentials are leaked in two ways:
- in the syft logs when
-vv
or-vvv
are used in the syft command (which is any log level >=DEBUG
) - in the attestation or SBOM only when the
syft-json
format is used
Note that as of v0.69.0 any generated attestations by the syft attest
command are uploaded to the OCI registry (if you have write access to that registry) in the same way cosign attach
is done. This means that any attestations generated for the affected versions of syft when the SYFT_ATTEST_PASSWORD
environment variable was set would leak credentials in the attestation payload uploaded to the OCI registry.
Example commands run from affected versions of syft that show the credential disclosure:
$ SYFT_ATTEST_PASSWORD=123456 syft <container-image-or-directory-input> -o syft-json | grep 123456
# "123456" is in the output
$ SYFT_ATTEST_PASSWORD=123456 syft attest <container-image-input> -o syft-json
$ cosign download attestation <container-image-input> | jq -r '.payload' | base64 -d | grep 123456
# "123456" is in the output
Patches
The patch has been released in v0.70.0.
Workarounds
There are no workarounds for this vulnerability.
References
Patch pull request: https://github.com/anchore/syft/pull/1538
Permalink: https://github.com/advisories/GHSA-jp7v-3587-2956JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qcDd2LTM1ODctMjk1Ns4AAxfm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Identifiers: GHSA-jp7v-3587-2956, CVE-2023-24827
References:
- https://github.com/anchore/syft/security/advisories/GHSA-jp7v-3587-2956
- https://nvd.nist.gov/vuln/detail/CVE-2023-24827
- https://github.com/anchore/syft/commit/9995950c70e849f9921919faffbfcf46401f71f3
- https://github.com/advisories/GHSA-jp7v-3587-2956
Blast Radius: 14.6
Affected Packages
go:github.com/anchore/syft
Dependent packages: 169Dependent repositories: 179
Downloads:
Affected Version Ranges: >= 0.69.0, < 0.70.0
Fixed in: 0.70.0
All affected versions: 0.69.0, 0.69.1
All unaffected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.12.6, 0.12.7, 0.13.0, 0.13.1, 0.14.0, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.17.0, 0.17.1, 0.18.0, 0.19.0, 0.19.1, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.24.1, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.30.1, 0.31.0, 0.32.0, 0.32.1, 0.32.2, 0.33.0, 0.34.0, 0.35.0, 0.35.1, 0.36.0, 0.37.0, 0.37.1, 0.37.2, 0.37.3, 0.37.4, 0.37.5, 0.37.6, 0.37.7, 0.37.8, 0.37.9, 0.37.10, 0.38.0, 0.39.0, 0.39.1, 0.39.2, 0.39.3, 0.40.0, 0.40.1, 0.41.0, 0.41.1, 0.41.2, 0.41.3, 0.41.4, 0.41.5, 0.41.6, 0.42.0, 0.42.1, 0.42.2, 0.42.3, 0.42.4, 0.43.0, 0.43.1, 0.43.2, 0.44.0, 0.44.1, 0.45.0, 0.45.1, 0.46.0, 0.46.1, 0.46.2, 0.46.3, 0.47.0, 0.48.0, 0.48.1, 0.49.0, 0.50.0, 0.51.0, 0.52.0, 0.53.0, 0.53.1, 0.53.2, 0.53.3, 0.53.4, 0.54.0, 0.55.0, 0.56.0, 0.57.0, 0.58.0, 0.59.0, 0.60.0, 0.60.1, 0.60.2, 0.60.3, 0.61.0, 0.62.0, 0.62.1, 0.62.2, 0.62.3, 0.63.0, 0.64.0, 0.65.0, 0.66.0, 0.66.1, 0.66.2, 0.66.7, 0.67.0, 0.68.0, 0.68.1, 0.70.0, 0.71.0, 0.72.0, 0.72.1, 0.73.0, 0.74.0, 0.74.1, 0.75.0, 0.76.0, 0.76.1, 0.77.0, 0.78.0, 0.79.0, 0.80.0, 0.81.0, 0.82.0, 0.83.0, 0.83.1, 0.84.0, 0.84.1, 0.85.0, 0.86.0, 0.86.1, 0.87.0, 0.87.1, 0.88.0, 0.89.0, 0.90.0, 0.91.0, 0.92.0, 0.93.0, 0.94.0, 0.95.0, 0.96.0, 0.97.0, 0.97.1, 0.98.0, 0.99.0, 0.100.0, 0.101.0, 0.101.1, 0.102.0, 0.103.0, 0.103.1, 0.104.0, 0.105.0, 0.105.1, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.3.0