Lucene search

GitHub_MCVE-2023-48225

HistoryDec 12, 2023 - 9:15 p.m.

CVE-2023-48225

2023-12-1221:15:08

CWE-200

GitHub_M

web.nvd.nist.gov

laf

cloud

development

platform

security

vulnerability

sensitive information

leakage

privatization

environment

nvd

cve-2023-48225

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

29.5%

JSON

Laf is a cloud development platform. Prior to version 1.0.0-beta.13, the control of LAF app enV is not strict enough, and in certain scenarios of privatization environment, it may lead to sensitive information leakage in secret and configmap. In ES6 syntax, if an obj directly references another obj, the name of the obj itself will be used as the key, and the entire object structure will be integrated intact. When constructing the deployment instance of the app, env was found from the database and directly inserted into the template, resulting in controllability here. Sensitive information in the secret and configmap can be read through the k8s envFrom field. In a privatization environment, when namespaceConf. fixed is marked, it may lead to the leakage of sensitive information in the system. As of time of publication, it is unclear whether any patches or workarounds exist.

Affected configurations

Nvd

Vulners

Node

laflafMatch0.1.5

laflafMatch0.4.0

laflafMatch0.4.1

laflafMatch0.4.2

laflafMatch0.4.3

laflafMatch0.4.4

laflafMatch0.4.5

laflafMatch0.4.6

laflafMatch0.4.7

laflafMatch0.4.8

laflafMatch0.4.9

laflafMatch0.4.10

laflafMatch0.4.11

laflafMatch0.4.12

laflafMatch0.4.13

laflafMatch0.4.14

laflafMatch0.4.15

laflafMatch0.4.16

laflafMatch0.4.17

laflafMatch0.4.18

laflafMatch0.4.19

laflafMatch0.4.20

laflafMatch0.4.21alpha0

laflafMatch0.5.0

laflafMatch0.5.0alpha0

laflafMatch0.5.0alpha1

laflafMatch0.5.0alpha2

laflafMatch0.5.0alpha3

laflafMatch0.5.1

laflafMatch0.5.1alpha0

laflafMatch0.5.2

laflafMatch0.5.2alpha0

laflafMatch0.5.3

laflafMatch0.5.4

laflafMatch0.5.4alpha0

laflafMatch0.5.5

laflafMatch0.5.5alpha0

laflafMatch0.5.6

laflafMatch0.5.7

laflafMatch0.5.7alpha0

laflafMatch0.5.8alpha0

laflafMatch0.6.0

laflafMatch0.6.0alpha0

laflafMatch0.6.0alpha1

laflafMatch0.6.0alpha10

laflafMatch0.6.0alpha2

laflafMatch0.6.0alpha3

laflafMatch0.6.0alpha4

laflafMatch0.6.0alpha5

laflafMatch0.6.0alpha6

laflafMatch0.6.0alpha7

laflafMatch0.6.0alpha8

laflafMatch0.6.0alpha9

laflafMatch0.6.1

laflafMatch0.6.2

laflafMatch0.6.3

laflafMatch0.6.4

laflafMatch0.6.5

laflafMatch0.6.6

laflafMatch0.6.7

laflafMatch0.6.8

laflafMatch0.6.9

laflafMatch0.6.10

laflafMatch0.6.11

laflafMatch0.6.12

laflafMatch0.6.13

laflafMatch0.6.14

laflafMatch0.6.15

laflafMatch0.6.16

laflafMatch0.6.17

laflafMatch0.6.18

laflafMatch0.6.19

laflafMatch0.6.20

laflafMatch0.6.21

laflafMatch0.6.22

laflafMatch0.6.23

laflafMatch0.7.0

laflafMatch0.7.1

laflafMatch0.7.2

laflafMatch0.7.3

laflafMatch0.7.4

laflafMatch0.7.5

laflafMatch0.7.6

laflafMatch0.7.7

laflafMatch0.7.8

laflafMatch0.7.9

laflafMatch0.7.10

laflafMatch0.7.11

laflafMatch0.8.0

laflafMatch0.8.0alpha0

laflafMatch0.8.0alpha1

laflafMatch0.8.0alpha10

laflafMatch0.8.0alpha11

laflafMatch0.8.0alpha2

laflafMatch0.8.0alpha3

laflafMatch0.8.0alpha4

laflafMatch0.8.0alpha5

laflafMatch0.8.0alpha6

laflafMatch0.8.0alpha7

laflafMatch0.8.0alpha8

laflafMatch0.8.0alpha9

laflafMatch0.8.1

laflafMatch0.8.2

laflafMatch0.8.3

laflafMatch0.8.4

laflafMatch0.8.5

laflafMatch0.8.5alpha0

laflafMatch0.8.6

laflafMatch0.8.7

laflafMatch0.8.7alpha0

laflafMatch0.8.7alpha1

laflafMatch0.8.7alpha2

laflafMatch0.8.7alpha3

laflafMatch0.8.8

laflafMatch0.8.9

laflafMatch0.8.10

laflafMatch0.8.11

laflafMatch0.8.12

laflafMatch0.8.13

laflafMatch1.0.0alpha0

laflafMatch1.0.0alpha1

laflafMatch1.0.0alpha2

laflafMatch1.0.0alpha3

laflafMatch1.0.0alpha4

laflafMatch1.0.0alpha5

laflafMatch1.0.0alpha6

laflafMatch1.0.0beta0

laflafMatch1.0.0beta1

laflafMatch1.0.0beta10

laflafMatch1.0.0beta11

laflafMatch1.0.0beta12

laflafMatch1.0.0beta13

laflafMatch1.0.0beta2

laflafMatch1.0.0beta3

laflafMatch1.0.0beta4

laflafMatch1.0.0beta5

laflafMatch1.0.0beta6

laflafMatch1.0.0beta7

laflafMatch1.0.0beta8

laflafMatch1.0.0beta9

VendorProductVersionCPE
laflaf0.1.5cpe:2.3:a:laf:laf:0.1.5:*:*:*:*:*:*:*
laflaf0.4.0cpe:2.3:a:laf:laf:0.4.0:*:*:*:*:*:*:*
laflaf0.4.1cpe:2.3:a:laf:laf:0.4.1:*:*:*:*:*:*:*
laflaf0.4.2cpe:2.3:a:laf:laf:0.4.2:*:*:*:*:*:*:*
laflaf0.4.3cpe:2.3:a:laf:laf:0.4.3:*:*:*:*:*:*:*
laflaf0.4.4cpe:2.3:a:laf:laf:0.4.4:*:*:*:*:*:*:*
laflaf0.4.5cpe:2.3:a:laf:laf:0.4.5:*:*:*:*:*:*:*
laflaf0.4.6cpe:2.3:a:laf:laf:0.4.6:*:*:*:*:*:*:*
laflaf0.4.7cpe:2.3:a:laf:laf:0.4.7:*:*:*:*:*:*:*
laflaf0.4.8cpe:2.3:a:laf:laf:0.4.8:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
laf	laf	0.1.5	cpe:2.3:a:laf:laf:0.1.5:::::::*
laf	laf	0.4.0	cpe:2.3:a:laf:laf:0.4.0:::::::*
laf	laf	0.4.1	cpe:2.3:a:laf:laf:0.4.1:::::::*
laf	laf	0.4.2	cpe:2.3:a:laf:laf:0.4.2:::::::*
laf	laf	0.4.3	cpe:2.3:a:laf:laf:0.4.3:::::::*
laf	laf	0.4.4	cpe:2.3:a:laf:laf:0.4.4:::::::*
laf	laf	0.4.5	cpe:2.3:a:laf:laf:0.4.5:::::::*
laf	laf	0.4.6	cpe:2.3:a:laf:laf:0.4.6:::::::*
laf	laf	0.4.7	cpe:2.3:a:laf:laf:0.4.7:::::::*
laf	laf	0.4.8	cpe:2.3:a:laf:laf:0.4.8:::::::*

Rows per page:

1-10 of 1401

CNA Affected

[
  {
    "vendor": "labring",
    "product": "laf",
    "versions": [
      {
        "version": "< 1.0.0-beta13",
        "status": "affected"
      }
    ]
  }
]

References

github.com/labring/laf/blob/main/server/src/application/environment.controller.ts#L50

github.com/labring/laf/blob/main/server/src/instance/instance.service.ts#L306

github.com/labring/laf/security/advisories/GHSA-hv2g-gxx4-fwxp

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

29.5%

JSON

Related for CVE-2023-48225