CVE-2023-24827 – Credential disclosure in syft when SYFT_ATTEST_PASSWORD environment variable set in syft

https://notcve.org/view.php?id=CVE-2023-24827

syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. A password disclosure flaw was found in Syft versions v0.69.0 and v0.69.1. This flaw leaks the password stored in the SYFT_ATTEST_PASSWORD environment variable. The `SYFT_ATTEST_PASSWORD` environment variable is for the `syft attest` command to generate attested SBOMs for the given container image. This environment variable is used to decrypt the private key (provided with `syft attest --key <path-to-key-file>`) during the signing process while generating an SBOM attestation. • https://github.com/anchore/syft/commit/9995950c70e849f9921919faffbfcf46401f71f3 https://github.com/anchore/syft/security/advisories/GHSA-jp7v-3587-2956 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •