1 results (0.001 seconds)
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41178 – Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files
https://notcve.org/view.php?id=CVE-2024-41178
23 Jul 2024 — Exposure of temporary credentials in logs in Apache Arrow Rust Object Store (`object_store` crate), version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens. On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html . This allows someone with access to the logs to impersonate that identity, including performing their own calls to AssumeRoleWithWebIdentity, until th... • http://www.openwall.com/lists/oss-security/2024/07/23/3 • CWE-532: Insertion of Sensitive Information into Log File •