Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yamM2LXZtNGgtODVjZ84AA_eY
Sensitive Information Exposure Through Insecure Logging For Secrets Like Metadata.DockerBuildArgs
Summary
The AWS Serverless Application Model (SAM) CLI is an open source tool that allows customers to build, deploy and test their serverless applications built on AWS. AWS SAM CLI can build container (Docker) images and customers can specify arguments in the SAM template that are passed to the Docker engine during build [1].
Impact
If customers specify sensitive data in the DockerBuildArgs parameter of their template, the sensitive data will be shown in clear text in the AWS SAM CLI output via STDERR when running the sam build command.
Patches
A patch is included in aws-sam-cli>=1.122.0.
We strongly recommend customers install AWS SAM CLI v1.122.0 or above. Please review logs produced by your SAM CLI runs if you have used the DockerBuildArgs parameter and consider rotating the secrets if you believe they were exposed.
References
If you have any questions or comments about this issue, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [2] or directly via email to [email protected]. Please do not create a public GitHub issue.
[2] https://aws.amazon.com/security/vulnerability-reporting
Permalink: https://github.com/advisories/GHSA-rjc6-vm4h-85cgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yamM2LXZtNGgtODVjZ84AA_eY
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 2 months ago
Updated: 2 months ago
CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Identifiers: GHSA-rjc6-vm4h-85cg
References:
- https://github.com/aws/aws-sam-cli/security/advisories/GHSA-rjc6-vm4h-85cg
- https://github.com/advisories/GHSA-rjc6-vm4h-85cg
Blast Radius: 12.2
Affected Packages
pypi:aws-sam-cli
Dependent packages: 3Dependent repositories: 344
Downloads: 1,104,403 last month
Affected Version Ranges: < 1.122.0
Fixed in: 1.122.0
All affected versions: 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.8.0, 0.8.1, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.16.0, 0.16.1, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.20.1, 0.21.0, 0.22.0, 0.23.0, 0.30.0, 0.31.0, 0.31.1, 0.32.0, 0.33.1, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.40.0, 0.41.0, 0.42.0, 0.43.0, 0.44.0, 0.45.0, 0.46.0, 0.46.1, 0.46.2, 0.47.0, 0.48.0, 0.49.0, 0.50.0, 0.51.0, 0.52.0, 0.53.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.2, 1.4.0, 1.6.0, 1.6.2, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.18.0, 1.18.1, 1.18.2, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.21.1, 1.22.0, 1.23.0, 1.24.0, 1.24.1, 1.25.0, 1.26.0, 1.27.0, 1.27.1, 1.27.2, 1.28.0, 1.29.0, 1.30.0, 1.31.0, 1.32.0, 1.33.0, 1.34.1, 1.35.0, 1.36.0, 1.37.0, 1.38.0, 1.38.1, 1.39.0, 1.40.0, 1.40.1, 1.41.0, 1.42.0, 1.43.0, 1.44.0, 1.45.0, 1.46.0, 1.47.0, 1.48.0, 1.49.0, 1.50.0, 1.51.0, 1.52.0, 1.53.0, 1.54.0, 1.55.0, 1.56.0, 1.56.1, 1.57.0, 1.58.0, 1.59.0, 1.60.0, 1.61.0, 1.62.0, 1.63.0, 1.64.0, 1.65.0, 1.66.0, 1.67.0, 1.68.0, 1.69.0, 1.70.0, 1.70.1, 1.71.0, 1.72.0, 1.73.0, 1.74.0, 1.75.0, 1.76.0, 1.77.0, 1.78.0, 1.79.0, 1.80.0, 1.81.0, 1.82.0, 1.83.0, 1.84.0, 1.85.0, 1.86.0, 1.86.1, 1.87.0, 1.88.0, 1.89.0, 1.90.0, 1.91.0, 1.92.0, 1.93.0, 1.94.0, 1.95.0, 1.96.0, 1.97.0, 1.98.0, 1.99.0, 1.100.0, 1.101.0, 1.102.0, 1.103.0, 1.104.0, 1.105.0, 1.106.0, 1.107.0, 1.108.0, 1.109.0, 1.110.0, 1.111.0, 1.112.0, 1.113.0, 1.114.0, 1.115.0, 1.116.0, 1.117.0, 1.118.0, 1.119.0, 1.120.0, 1.121.0
All unaffected versions: 1.122.0, 1.123.0, 1.124.0, 1.125.0, 1.126.0, 1.127.0, 1.128.0, 1.129.0, 1.130.0