CVE-2023-30610
AWS SDK for Rust will log AWS credentials when TRACE-level logging is enabled for request sending
Severity Score
5.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The `aws_sigv4::SigningParams` struct had a derived `Debug` implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is enabled for an SDK, `SigningParams` is printed, thereby revealing those credentials to anyone with access to logs. All users of the AWS SDK for Rust who enabled TRACE-level logging, either globally (e.g. `RUST_LOG=trace`), or for the `aws-sigv4` crate specifically are affected. This issue has been addressed in a set of new releases. Users are advised to upgrade. Users unable to upgrade should disable TRACE-level logging for AWS Rust SDK crates.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-04-13 CVE Reserved
- 2023-04-19 CVE Published
- 2024-08-02 CVE Updated
- 2024-11-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-532: Insertion of Sensitive Information into Log File
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/awslabs/aws-sdk-rust/security/advisories/GHSA-mjv9-vp6w-3rc9 | 2023-05-01 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.2.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.2.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.3.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.3.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.4.1 Search vendor "Amazon" for product "Aws-sigv4" and version "0.4.1" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.5.2 Search vendor "Amazon" for product "Aws-sigv4" and version "0.5.2" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.6.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.6.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.7.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.7.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.8.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.8.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.9.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.9.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.10.1 Search vendor "Amazon" for product "Aws-sigv4" and version "0.10.1" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.11.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.11.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.12.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.12.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.13.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.13.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.14.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.14.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.15.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.15.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.46.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.46.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.47.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.47.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.48.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.48.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.49.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.49.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.50.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.50.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.51.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.51.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.52.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.52.0" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.53.1 Search vendor "Amazon" for product "Aws-sigv4" and version "0.53.1" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.54.1 Search vendor "Amazon" for product "Aws-sigv4" and version "0.54.1" | rust |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Aws-sigv4 Search vendor "Amazon" for product "Aws-sigv4" | 0.55.0 Search vendor "Amazon" for product "Aws-sigv4" and version "0.55.0" | rust |
Affected
| ||||||