S3 credentials included when exporting elyra notebook
CVE-2023-3361

7.7HIGH

Key Information:

Vendor: Red Hat
Status: Odh-dashboard; Red Hat Openshift Data Science (rhods)
Vendor: CVE Published:; 4 October 2023

Summary

A vulnerability exists in Red Hat OpenShift Data Science that compromises the security of S3 credentials during the export of pipelines from the Elyra notebook pipeline editor. When exporting as Python DSL or YAML, the system erroneously saves sensitive S3 credentials in plain text within the generated output. This occurs instead of using an identifier for a stored Kubernetes secret, leading to potential unauthorized access to sensitive data.

Affected Version(s)

odh-dashboard 1.28.1

References

https://access.redhat.com/security/cve/CVE-2023-3361

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2216588

issue-trackingx_refsource_REDHAT

https://github.com/opendatahub-io/odh-dashboard/issues/1415

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Oct 4, 2023
Vulnerability Reserved
Jun 22, 2023