CVE-2023-48225

Published: Dec 12, 2023

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

8.9

HIGH

Description

Laf is a cloud development platform. Prior to version 1.0.0-beta.13, the control of LAF app enV is not strict enough, and in certain scenarios of privatization environment, it may lead to sensitive information leakage in secret and configmap. In ES6 syntax, if an obj directly references another obj, the name of the obj itself will be used as the key, and the entire object structure will be integrated intact. When constructing the deployment instance of the app, env was found from the database and directly inserted into the template, resulting in controllability here. Sensitive information in the secret and configmap can be read through the k8s envFrom field. In a privatization environment, when `namespaceConf. fixed` is marked, it may lead to the leakage of sensitive information in the system. As of time of publication, it is unclear whether any patches or workarounds exist.

Vendor	Product	Versions
labring	laf	affected `< 1.0.0-beta13`

Weaknesses (CWE)

CWE-200

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

References

https://github.com/labring/laf/security/advisories/GHSA-hv2g-gxx4-fwxp

x_refsource_CONFIRM

https://github.com/labring/laf/blob/main/server/src/application/environment.controller.ts#L50

x_refsource_MISC

https://github.com/labring/laf/blob/main/server/src/instance/instance.service.ts#L306

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-48225

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References