CVE-2022-23538 – User credentials leaked to third-party service via HTTP redirect in scs-library-client

https://notcve.org/view.php?id=CVE-2022-23538

github.com/sylabs/scs-library-client is the Go client for the Singularity Container Services (SCS) Container Library Service. When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider. This occurs in a specific flow, where the library service redirects the client to a backing S3 storage server, to perform a multi-part concurrent download. Depending on site configuration, the S3 service may be provided by a third party. An attacker with access to the S3 service may be able to extract user credentials, allowing them to impersonate the user. • https://github.com/sylabs/scs-library-client/commit/68ac4cab5cda0afd8758ff5b5e2e57be6a22fcfa https://github.com/sylabs/scs-library-client/commit/b5db2aacba6bf1231f42dd475cc32e6355ab47b2 https://github.com/sylabs/scs-library-client/commit/eebd7caaab310b1fa803e55b8fc1acd9dcd2d00c https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7 • CWE-522: Insufficiently Protected Credentials •