Lucene search

GitHub_MCVE-2023-50253

HistoryJan 03, 2024 - 5:15 p.m.

CVE-2023-50253

2024-01-0317:15:11

CWE-532

CWE-200

GitHub_M

web.nvd.nist.gov

laf

cloud development

security

cve-2023-50253

nvd

logs

kubernetes

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

6.1

Confidence

High

EPSS

0.001

Percentile

18.1%

JSON

Laf is a cloud development platform. In the Laf version design, the log uses communication with k8s to quickly retrieve logs from the container without the need for additional storage. However, in version 1.0.0-beta.13 and prior, this interface does not verify the permissions of the pod, which allows authenticated users to obtain any pod logs under the same namespace through this method, thereby obtaining sensitive information printed in the logs. As of time of publication, no known patched versions exist.

Affected configurations

Nvd

Vulners

Node

laflafMatch0.1.5

laflafMatch0.4.0

laflafMatch0.4.1

laflafMatch0.4.2

laflafMatch0.4.3

laflafMatch0.4.4

laflafMatch0.4.5

laflafMatch0.4.6

laflafMatch0.4.7

laflafMatch0.4.8

laflafMatch0.4.9

laflafMatch0.4.10

laflafMatch0.4.11

laflafMatch0.4.12

laflafMatch0.4.13

laflafMatch0.4.14

laflafMatch0.4.15

laflafMatch0.4.16

laflafMatch0.4.17

laflafMatch0.4.18

laflafMatch0.4.19

laflafMatch0.4.20

laflafMatch0.4.21alpha0

laflafMatch0.5.0-

laflafMatch0.5.0alpha0

laflafMatch0.5.0alpha1

laflafMatch0.5.0alpha2

laflafMatch0.5.0alpha3

laflafMatch0.5.1-

laflafMatch0.5.1alpha0

laflafMatch0.5.2-

laflafMatch0.5.2alpha0

laflafMatch0.5.3

laflafMatch0.5.4-

laflafMatch0.5.4alpha0

laflafMatch0.5.5-

laflafMatch0.5.5alpha0

laflafMatch0.5.6

laflafMatch0.5.7-

laflafMatch0.5.7alpha0

laflafMatch0.5.8alpha0

laflafMatch0.6.0-

laflafMatch0.6.0alpha0

laflafMatch0.6.0alpha1

laflafMatch0.6.0alpha10

laflafMatch0.6.0alpha2

laflafMatch0.6.0alpha3

laflafMatch0.6.0alpha4

laflafMatch0.6.0alpha5

laflafMatch0.6.0alpha6

laflafMatch0.6.0alpha7

laflafMatch0.6.0alpha8

laflafMatch0.6.0alpha9

laflafMatch0.6.1

laflafMatch0.6.2

laflafMatch0.6.3

laflafMatch0.6.4

laflafMatch0.6.5

laflafMatch0.6.6

laflafMatch0.6.7

laflafMatch0.6.8

laflafMatch0.6.9

laflafMatch0.6.10

laflafMatch0.6.11

laflafMatch0.6.12

laflafMatch0.6.13

laflafMatch0.6.14

laflafMatch0.6.15

laflafMatch0.6.16

laflafMatch0.6.17

laflafMatch0.6.18

laflafMatch0.6.19

laflafMatch0.6.20

laflafMatch0.6.21

laflafMatch0.6.22

laflafMatch0.6.23

laflafMatch0.7.0

laflafMatch0.7.1

laflafMatch0.7.2

laflafMatch0.7.3

laflafMatch0.7.4

laflafMatch0.7.5

laflafMatch0.7.6

laflafMatch0.7.7

laflafMatch0.7.8

laflafMatch0.7.9

laflafMatch0.7.10

laflafMatch0.7.11

laflafMatch0.8.0-

laflafMatch0.8.0alpha0

laflafMatch0.8.0alpha1

laflafMatch0.8.0alpha10

laflafMatch0.8.0alpha11

laflafMatch0.8.0alpha2

laflafMatch0.8.0alpha3

laflafMatch0.8.0alpha4

laflafMatch0.8.0alpha5

laflafMatch0.8.0alpha6

laflafMatch0.8.0alpha7

laflafMatch0.8.0alpha8

laflafMatch0.8.0alpha9

laflafMatch0.8.1

laflafMatch0.8.2

laflafMatch0.8.3

laflafMatch0.8.4

laflafMatch0.8.5-

laflafMatch0.8.5alpha0

laflafMatch0.8.6

laflafMatch0.8.7-

laflafMatch0.8.7alpha0

laflafMatch0.8.7alpha1

laflafMatch0.8.7alpha2

laflafMatch0.8.7alpha3

laflafMatch0.8.8

laflafMatch0.8.9

laflafMatch0.8.10

laflafMatch0.8.11

laflafMatch0.8.12

laflafMatch0.8.13

laflafMatch1.0.0alpha0

laflafMatch1.0.0alpha1

laflafMatch1.0.0alpha2

laflafMatch1.0.0alpha3

laflafMatch1.0.0alpha4

laflafMatch1.0.0alpha5

laflafMatch1.0.0alpha6

laflafMatch1.0.0beta0

laflafMatch1.0.0beta1

laflafMatch1.0.0beta10

laflafMatch1.0.0beta11

laflafMatch1.0.0beta12

laflafMatch1.0.0beta2

laflafMatch1.0.0beta3

laflafMatch1.0.0beta4

laflafMatch1.0.0beta5

laflafMatch1.0.0beta6

laflafMatch1.0.0beta7

laflafMatch1.0.0beta8

laflafMatch1.0.0beta9

VendorProductVersionCPE
laflaf0.1.5cpe:2.3:a:laf:laf:0.1.5:*:*:*:*:*:*:*
laflaf0.4.0cpe:2.3:a:laf:laf:0.4.0:*:*:*:*:*:*:*
laflaf0.4.1cpe:2.3:a:laf:laf:0.4.1:*:*:*:*:*:*:*
laflaf0.4.2cpe:2.3:a:laf:laf:0.4.2:*:*:*:*:*:*:*
laflaf0.4.3cpe:2.3:a:laf:laf:0.4.3:*:*:*:*:*:*:*
laflaf0.4.4cpe:2.3:a:laf:laf:0.4.4:*:*:*:*:*:*:*
laflaf0.4.5cpe:2.3:a:laf:laf:0.4.5:*:*:*:*:*:*:*
laflaf0.4.6cpe:2.3:a:laf:laf:0.4.6:*:*:*:*:*:*:*
laflaf0.4.7cpe:2.3:a:laf:laf:0.4.7:*:*:*:*:*:*:*
laflaf0.4.8cpe:2.3:a:laf:laf:0.4.8:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
laf	laf	0.1.5	cpe:2.3:a:laf:laf:0.1.5:::::::*
laf	laf	0.4.0	cpe:2.3:a:laf:laf:0.4.0:::::::*
laf	laf	0.4.1	cpe:2.3:a:laf:laf:0.4.1:::::::*
laf	laf	0.4.2	cpe:2.3:a:laf:laf:0.4.2:::::::*
laf	laf	0.4.3	cpe:2.3:a:laf:laf:0.4.3:::::::*
laf	laf	0.4.4	cpe:2.3:a:laf:laf:0.4.4:::::::*
laf	laf	0.4.5	cpe:2.3:a:laf:laf:0.4.5:::::::*
laf	laf	0.4.6	cpe:2.3:a:laf:laf:0.4.6:::::::*
laf	laf	0.4.7	cpe:2.3:a:laf:laf:0.4.7:::::::*
laf	laf	0.4.8	cpe:2.3:a:laf:laf:0.4.8:::::::*

Rows per page:

1-10 of 1391

CNA Affected

[
  {
    "vendor": "labring",
    "product": "laf",
    "versions": [
      {
        "version": "<= 1.0.0-beta.13",
        "status": "affected"
      }
    ]
  }
]

References

github.com/labring/laf/pull/1468

github.com/labring/laf/security/advisories/GHSA-g9c8-wh35-g75f

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

6.1

Confidence

High

EPSS

0.001

Percentile

18.1%

JSON

Related for CVE-2023-50253