CVE-2023-0436

EPSS 0.27%
Veröffentlicht 07.11.2023 12:15:08
Zuletzt bearbeitet 21.11.2024 07:37:10
Quelle cna@mongodb.com
Teams Watchlist Login
Unerledigt Login

The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0.

Please note that this is reported on an EOL version of the product, and users are advised to upgrade to the latest supported version.
Required Configuration: 

DEBUG logging is not enabled by default, and must be configured by the end-user. To check the log-level of the Operator, review the flags passed in your deployment configuration (eg.  https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 )

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mongodb ≫ Atlas Kubernetes Operator Version >= 1.6.0 < 1.7.1

Mongodb ≫ Atlas Kubernetes Operator Version1.5.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.27%	0.473

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cna@mongodb.com	4.5	0.9	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://github.com/mongodb/mongodb-atlas-kubernetes/releases/tag/v1.7.1

Vendor Advisory

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2023-0436

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-0436

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-0436

EUVD