|
| 1 | +```toml |
| 2 | +[advisory] |
| 3 | +id = "RUSTSEC-0000-0000" |
| 4 | +package = "object_store" |
| 5 | +date = "2024-07-23" |
| 6 | +url = "https://github.com/apache/arrow-rs/pull/6074" |
| 7 | +references = ["https://www.openwall.com/lists/oss-security/2024/07/23/3"] |
| 8 | +cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" |
| 9 | + |
| 10 | +keywords = ["information", "leak", "aws", "oidc", "logs"] |
| 11 | +aliases = ["CVE-2024-41178"] |
| 12 | + |
| 13 | +[versions] |
| 14 | +patched = [">= 0.10.2"] |
| 15 | + |
| 16 | +unaffected = ["< 0.5.0"] |
| 17 | +``` |
| 18 | + |
| 19 | +# Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files |
| 20 | + |
| 21 | +Exposure of temporary credentials in logs in Apache Arrow Rust Object Store, |
| 22 | +version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens. |
| 23 | + |
| 24 | +On certain error conditions, the logs may contain the OIDC token passed to |
| 25 | +[AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html). |
| 26 | +This allows someone with access to the logs to impersonate that identity, |
| 27 | +including performing their own calls to AssumeRoleWithWebIdentity, until the |
| 28 | +OIDC token expires. Typically OIDC tokens are valid for up to an hour, although |
| 29 | +this will vary depending on the issuer. |
| 30 | + |
| 31 | +Users are recommended to use a different AWS authentication mechanism, disable |
| 32 | +logging or upgrade to version 0.10.2, which fixes this issue. |
| 33 | + |
| 34 | +## Details |
| 35 | + |
| 36 | +When using AWS WebIdentityTokens with the `object_store` crate, in the event of |
| 37 | +a failure and automatic retry, the underlying `reqwest` error, including the |
| 38 | +full URL with the credentials, potentially in the parameters, is written to the |
| 39 | +logs. |
| 40 | + |
| 41 | +Thanks to Paul Hatcherian for reporting this vulnerability |
0 commit comments