CVE-2023-48225 - Vulnerability Details

Laf is a cloud development platform. Prior to version 1.0.0-beta.13, the control of LAF app enV is not strict enough, and in certain scenarios of privatization environment, it may lead to sensitive information leakage in secret and configmap. In ES6 syntax, if an obj directly references another obj, the name of the obj itself will be used as the key, and the entire object structure will be integrated intact. When constructing the deployment instance of the app, env was found from the database and directly inserted into the template, resulting in controllability here. Sensitive information in the secret and configmap can be read through the k8s envFrom field. In a privatization environment, when `namespaceConf. fixed` is marked, it may lead to the leakage of sensitive information in the system. As of time of publication, it is unclear whether any patches or workarounds exist.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00151.

Key SSVC decision points have not yet been added.

Vendors	Products
Laf	Laf

Configuration 1 [-]

OR	cpe:2.3:a:laf:laf:0.1.5:::::::*
	cpe:2.3:a:laf:laf:0.4.0:::::::*
	cpe:2.3:a:laf:laf:0.4.1:::::::*
	cpe:2.3:a:laf:laf:0.4.2:::::::*
	cpe:2.3:a:laf:laf:0.4.3:::::::*
	cpe:2.3:a:laf:laf:0.4.4:::::::*
	cpe:2.3:a:laf:laf:0.4.5:::::::*
	cpe:2.3:a:laf:laf:0.4.6:::::::*
	cpe:2.3:a:laf:laf:0.4.7:::::::*
	cpe:2.3:a:laf:laf:0.4.8:::::::*
	cpe:2.3:a:laf:laf:0.4.9:::::::*
	cpe:2.3:a:laf:laf:0.4.10:::::::*
	cpe:2.3:a:laf:laf:0.4.11:::::::*
	cpe:2.3:a:laf:laf:0.4.12:::::::*
	cpe:2.3:a:laf:laf:0.4.13:::::::*
	cpe:2.3:a:laf:laf:0.4.14:::::::*
	cpe:2.3:a:laf:laf:0.4.15:::::::*
	cpe:2.3:a:laf:laf:0.4.16:::::::*
	cpe:2.3:a:laf:laf:0.4.17:::::::*
	cpe:2.3:a:laf:laf:0.4.18:::::::*
	cpe:2.3:a:laf:laf:0.4.19:::::::*
	cpe:2.3:a:laf:laf:0.4.20:::::::*
	cpe:2.3:a:laf:laf:0.4.21:alpha0::::::
	cpe:2.3:a:laf:laf:0.5.0:::::::*
	cpe:2.3:a:laf:laf:0.5.0:alpha0::::::
	cpe:2.3:a:laf:laf:0.5.0:alpha1::::::
	cpe:2.3:a:laf:laf:0.5.0:alpha2::::::
	cpe:2.3:a:laf:laf:0.5.0:alpha3::::::
	cpe:2.3:a:laf:laf:0.5.1:::::::*
	cpe:2.3:a:laf:laf:0.5.1:alpha0::::::
	cpe:2.3:a:laf:laf:0.5.2:::::::*
	cpe:2.3:a:laf:laf:0.5.2:alpha0::::::
	cpe:2.3:a:laf:laf:0.5.3:::::::*
	cpe:2.3:a:laf:laf:0.5.4:::::::*
	cpe:2.3:a:laf:laf:0.5.4:alpha0::::::
	cpe:2.3:a:laf:laf:0.5.5:::::::*
	cpe:2.3:a:laf:laf:0.5.5:alpha0::::::
	cpe:2.3:a:laf:laf:0.5.6:::::::*
	cpe:2.3:a:laf:laf:0.5.7:::::::*
	cpe:2.3:a:laf:laf:0.5.7:alpha0::::::
	cpe:2.3:a:laf:laf:0.5.8:alpha0::::::
	cpe:2.3:a:laf:laf:0.6.0:::::::*
	cpe:2.3:a:laf:laf:0.6.0:alpha0::::::
	cpe:2.3:a:laf:laf:0.6.0:alpha1::::::
	cpe:2.3:a:laf:laf:0.6.0:alpha10::::::
	cpe:2.3:a:laf:laf:0.6.0:alpha2::::::
	cpe:2.3:a:laf:laf:0.6.0:alpha3::::::
	cpe:2.3:a:laf:laf:0.6.0:alpha4::::::
	cpe:2.3:a:laf:laf:0.6.0:alpha5::::::
	cpe:2.3:a:laf:laf:0.6.0:alpha6::::::
	cpe:2.3:a:laf:laf:0.6.0:alpha7::::::
	cpe:2.3:a:laf:laf:0.6.0:alpha8::::::
	cpe:2.3:a:laf:laf:0.6.0:alpha9::::::
	cpe:2.3:a:laf:laf:0.6.1:::::::*
	cpe:2.3:a:laf:laf:0.6.2:::::::*
	cpe:2.3:a:laf:laf:0.6.3:::::::*
	cpe:2.3:a:laf:laf:0.6.4:::::::*
	cpe:2.3:a:laf:laf:0.6.5:::::::*
	cpe:2.3:a:laf:laf:0.6.6:::::::*
	cpe:2.3:a:laf:laf:0.6.7:::::::*
	cpe:2.3:a:laf:laf:0.6.8:::::::*
	cpe:2.3:a:laf:laf:0.6.9:::::::*
	cpe:2.3:a:laf:laf:0.6.10:::::::*
	cpe:2.3:a:laf:laf:0.6.11:::::::*
cpe:2.3:a:laf:laf:0.6.12:::::::*
cpe:2.3:a:laf:laf:0.6.13:::::::*
cpe:2.3:a:laf:laf:0.6.14:::::::*
cpe:2.3:a:laf:laf:0.6.15:::::::*
cpe:2.3:a:laf:laf:0.6.16:::::::*
cpe:2.3:a:laf:laf:0.6.17:::::::*
cpe:2.3:a:laf:laf:0.6.18:::::::*
cpe:2.3:a:laf:laf:0.6.19:::::::*
cpe:2.3:a:laf:laf:0.6.20:::::::*
cpe:2.3:a:laf:laf:0.6.21:::::::*
cpe:2.3:a:laf:laf:0.6.22:::::::*
cpe:2.3:a:laf:laf:0.6.23:::::::*
cpe:2.3:a:laf:laf:0.7.0:::::::*
cpe:2.3:a:laf:laf:0.7.1:::::::*
cpe:2.3:a:laf:laf:0.7.2:::::::*
cpe:2.3:a:laf:laf:0.7.3:::::::*
cpe:2.3:a:laf:laf:0.7.4:::::::*
cpe:2.3:a:laf:laf:0.7.5:::::::*
cpe:2.3:a:laf:laf:0.7.6:::::::*
cpe:2.3:a:laf:laf:0.7.7:::::::*
cpe:2.3:a:laf:laf:0.7.8:::::::*
cpe:2.3:a:laf:laf:0.7.9:::::::*
cpe:2.3:a:laf:laf:0.7.10:::::::*
cpe:2.3:a:laf:laf:0.7.11:::::::*
cpe:2.3:a:laf:laf:0.8.0:::::::*
cpe:2.3:a:laf:laf:0.8.0:alpha0::::::
cpe:2.3:a:laf:laf:0.8.0:alpha1::::::
cpe:2.3:a:laf:laf:0.8.0:alpha10::::::
cpe:2.3:a:laf:laf:0.8.0:alpha11::::::
cpe:2.3:a:laf:laf:0.8.0:alpha2::::::
cpe:2.3:a:laf:laf:0.8.0:alpha3::::::
cpe:2.3:a:laf:laf:0.8.0:alpha4::::::
cpe:2.3:a:laf:laf:0.8.0:alpha5::::::
cpe:2.3:a:laf:laf:0.8.0:alpha6::::::
cpe:2.3:a:laf:laf:0.8.0:alpha7::::::
cpe:2.3:a:laf:laf:0.8.0:alpha8::::::
cpe:2.3:a:laf:laf:0.8.0:alpha9::::::
cpe:2.3:a:laf:laf:0.8.1:::::::*
cpe:2.3:a:laf:laf:0.8.2:::::::*
cpe:2.3:a:laf:laf:0.8.3:::::::*
cpe:2.3:a:laf:laf:0.8.4:::::::*
cpe:2.3:a:laf:laf:0.8.5:::::::*
cpe:2.3:a:laf:laf:0.8.5:alpha0::::::
cpe:2.3:a:laf:laf:0.8.6:::::::*
cpe:2.3:a:laf:laf:0.8.7:::::::*
cpe:2.3:a:laf:laf:0.8.7:alpha0::::::
cpe:2.3:a:laf:laf:0.8.7:alpha1::::::
cpe:2.3:a:laf:laf:0.8.7:alpha2::::::
cpe:2.3:a:laf:laf:0.8.7:alpha3::::::
cpe:2.3:a:laf:laf:0.8.8:::::::*
cpe:2.3:a:laf:laf:0.8.9:::::::*
cpe:2.3:a:laf:laf:0.8.10:::::::*
cpe:2.3:a:laf:laf:0.8.11:::::::*
cpe:2.3:a:laf:laf:0.8.12:::::::*
cpe:2.3:a:laf:laf:0.8.13:::::::*
cpe:2.3:a:laf:laf:1.0.0:alpha0::::::
cpe:2.3:a:laf:laf:1.0.0:alpha1::::::
cpe:2.3:a:laf:laf:1.0.0:alpha2::::::
cpe:2.3:a:laf:laf:1.0.0:alpha3::::::
cpe:2.3:a:laf:laf:1.0.0:alpha4::::::
cpe:2.3:a:laf:laf:1.0.0:alpha5::::::
cpe:2.3:a:laf:laf:1.0.0:alpha6::::::
cpe:2.3:a:laf:laf:1.0.0:beta0::::::
cpe:2.3:a:laf:laf:1.0.0:beta1::::::
cpe:2.3:a:laf:laf:1.0.0:beta10::::::
cpe:2.3:a:laf:laf:1.0.0:beta11::::::
cpe:2.3:a:laf:laf:1.0.0:beta12::::::
cpe:2.3:a:laf:laf:1.0.0:beta13::::::
cpe:2.3:a:laf:laf:1.0.0:beta2::::::
cpe:2.3:a:laf:laf:1.0.0:beta3::::::
cpe:2.3:a:laf:laf:1.0.0:beta4::::::
cpe:2.3:a:laf:laf:1.0.0:beta5::::::
cpe:2.3:a:laf:laf:1.0.0:beta6::::::
cpe:2.3:a:laf:laf:1.0.0:beta7::::::
cpe:2.3:a:laf:laf:1.0.0:beta8::::::
cpe:2.3:a:laf:laf:1.0.0:beta9::::::

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-52298	Laf is a cloud development platform. Prior to version 1.0.0-beta.13, the control of LAF app enV is not strict enough, and in certain scenarios of privatization environment, it may lead to sensitive information leakage in secret and configmap. In ES6 syntax, if an obj directly references another obj, the name of the obj itself will be used as the key, and the entire object structure will be integrated intact. When constructing the deployment instance of the app, env was found from the database and directly inserted into the template, resulting in controllability here. Sensitive information in the secret and configmap can be read through the k8s envFrom field. In a privatization environment, when `namespaceConf. fixed` is marked, it may lead to the leakage of sensitive information in the system. As of time of publication, it is unclear whether any patches or workarounds exist.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/labring/laf/blob/main/server/src/application/environment.controller.ts#L50
https://github.com/labring/laf/blob/main/server/src/instance/instance.service.ts#L306
https://github.com/labring/laf/security/advisories/GHSA-hv2g-gxx4-fwxp

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-12-12T20:33:40.959Z

Updated: 2024-08-02T21:23:39.023Z

Reserved: 2023-11-13T13:25:18.480Z

Link: CVE-2023-48225

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-12T21:15:08.237

Modified: 2024-11-21T08:31:14.840

Link: CVE-2023-48225

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object