CVE-2021-3528

EPSS 0.33%
Published 13.05.2021 15:15:07
Last modified 21.11.2024 06:21:46
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in noobaa-operator in versions before 5.7.0, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. An attacker with access to the log files could use this AuthToken to gain additional access into noobaa deployment and can read/modify system configuration.

Affected products Warnungen 0 Metrics 3 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Noobaa-operator Version < 5.7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.33%	0.53

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://bugzilla.redhat.com/show_bug.cgi?id=1955601

Patch

Vendor Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2021-3528

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-3528

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-3528

EUVD