CVE-2023-0436

Secret logging may occur in debug mode of Atlas Operator

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0.

Please note that this is reported on an EOL version of the product, and users are advised to upgrade to the latest supported version.
Required Configuration:

DEBUG logging is not enabled by default, and must be configured by the end-user. To check the log-level of the Operator, review the flags passed in your deployment configuration (eg. https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 )

Las versiones afectadas de MongoDB Atlas Kubernetes Operator pueden imprimir información confidencial, como claves de cuenta de servicio de GCP y secretos de integración de API, mientras el registro en modo DEBUG está habilitado. Este problema afecta a las versiones de MongoDB Atlas Kubernetes Operador: 1.5.0, 1.6.0, 1.6.1, 1.7.0. Tenga en cuenta que esto se informa en una versión EOL del producto y se recomienda a los usuarios que actualicen a la última versión compatible. Configuración requerida: el registro DEBUG no está habilitado de forma predeterminada y debe configurarlo el usuario final. Para verificar el nivel de registro del Operador, revise los indicadores pasados en su configuración de implementación (por ejemplo, https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27)

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-01-23 CVE Reserved
2023-11-07 CVE Published
2023-11-15 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-532: Insertion of Sensitive Information into Log File

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/mongodb/mongodb-atlas-kubernetes/releases/tag/v1.7.1	2023-11-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mongodb Search vendor "Mongodb"		Atlas Kubernetes Operator Search vendor "Mongodb" for product "Atlas Kubernetes Operator"				>= 1.6.0 < 1.7.1 Search vendor "Mongodb" for product "Atlas Kubernetes Operator" and version " >= 1.6.0 < 1.7.1"		-		Affected
Mongodb Search vendor "Mongodb"		Atlas Kubernetes Operator Search vendor "Mongodb" for product "Atlas Kubernetes Operator"				1.5.0 Search vendor "Mongodb" for product "Atlas Kubernetes Operator" and version "1.5.0"		-		Affected