CVE-2023-0436 Secret logging may occur in debug mode of Atlas Operator

2023-11-0711:44:47

CWE-532

mongodb

www.cve.org

cve-2023-0436

secret logging

debug mode

atlas operator

mongodb atlas

kubernetes operator

sensitive information

gcp service account keys

api integration secrets

eol version

upgrade required

CVSS3

4.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

37.2%

JSON

The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0.

Please note that this is reported on an EOL version of the product, and users are advised to upgrade to the latest supported version.
Required Configuration:

DEBUG logging is not enabled by default, and must be configured by the end-user. To check the log-level of the Operator, review the flags passed in your deployment configuration (eg. https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 )

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "MongoDB Atlas Kubernetes Operator",
    "vendor": "MongoDB Inc",
    "versions": [
      {
        "lessThanOrEqual": "1.7.0",
        "status": "affected",
        "version": "1.5.0",
        "versionType": "custom"
      }
    ]
  }
]