laf logs leak
CVE-2023-50253

9.7CRITICAL

Key Information:

Vendor: Labring
Status: Laf
Vendor: CVE Published:; 3 January 2024

What is CVE-2023-50253?

The Laf cloud development platform has a vulnerability related to improper access control in its logging functionality. Specifically, in versions 1.0.0-beta.13 and earlier, the platform's method for retrieving logs from containers does not adequately verify the permissions of the pods. This oversight permits authenticated users to access logs from any pod within the same namespace. As a result, sensitive information reflected in the logs may be exposed. Currently, there are no patched versions available to address this issue.

Affected Version(s)

laf <= 1.0.0-beta.13

References

https://github.com/labring/laf/security/advisories/GHSA-g...

x_refsource_CONFIRM

https://github.com/labring/laf/pull/1468

x_refsource_MISC

CVSS V3.1

Score:

9.7

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 3, 2024
Vulnerability Reserved
Dec 5, 2023

CVE-2023-50253 Data

JSON

Labring

What is CVE-2023-50253?

Affected Version(s)

References

CVSS V3.1

Timeline