{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-30610","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2023-04-13T13:25:18.831Z","datePublished":"2023-04-19T17:18:54.703Z","dateUpdated":"2025-02-05T14:56:14.270Z"},"containers":{"cna":{"title":"AWS SDK for Rust will log AWS credentials when TRACE-level logging is enabled for request sending","problemTypes":[{"descriptions":[{"cweId":"CWE-532","lang":"en","description":"CWE-532: Insertion of Sensitive Information into Log File","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/awslabs/aws-sdk-rust/security/advisories/GHSA-mjv9-vp6w-3rc9","tags":["x_refsource_CONFIRM"],"url":"https://github.com/awslabs/aws-sdk-rust/security/advisories/GHSA-mjv9-vp6w-3rc9"}],"affected":[{"vendor":"awslabs","product":"aws-sdk-rust","versions":[{"version":">= 0.2.0, < 0.2.1","status":"affected"},{"version":">= 0.3.0, < 0.3.1","status":"affected"},{"version":">= 0.4.1, < 0.4.2","status":"affected"},{"version":">= 0.5.2, < 0.5.3","status":"affected"},{"version":">= 0.6.0, < 0.6.1","status":"affected"},{"version":">= 0.7.0, < 0.7.1","status":"affected"},{"version":">= 0.8.0, < 0.8.1","status":"affected"},{"version":">= 0.9.0, < 0.9.1","status":"affected"},{"version":">= 0.10.1, < 0.10.2","status":"affected"},{"version":">= 0.11.0, < 0.11.1","status":"affected"},{"version":">= 0.12.0, < 0.12.1","status":"affected"},{"version":">= 0.13.0, < 0.13.1","status":"affected"},{"version":">= 0.14.0, < 0.14.1","status":"affected"},{"version":">= 0.15.0, < 0.15.1","status":"affected"},{"version":">= 0.46.0, < 0.46.1","status":"affected"},{"version":">= 0.47.0, < 0.47.1","status":"affected"},{"version":">= 0.48.0, < 0.48.1","status":"affected"},{"version":">= 0.49.0, < 0.49.1","status":"affected"},{"version":">= 0.50.0, < 0.51.1","status":"affected"},{"version":">= 0.52.0, < 0.52.1, ","status":"affected"},{"version":">= 0.53.1, < 0.53.2","status":"affected"},{"version":">= 0.54.1, < 0.54.2","status":"affected"},{"version":">= 0.55.0, < 0.55.1","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2023-04-19T17:18:54.703Z"},"descriptions":[{"lang":"en","value":"aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The `aws_sigv4::SigningParams` struct had a derived `Debug` implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is enabled for an SDK, `SigningParams` is printed, thereby revealing those credentials to anyone with access to logs. All users of the AWS SDK for Rust who enabled TRACE-level logging, either globally (e.g. `RUST_LOG=trace`), or for the `aws-sigv4` crate specifically are affected. This issue has been addressed in a set of new releases. Users are advised to upgrade. Users unable to upgrade should disable TRACE-level logging for AWS Rust SDK crates.\n"}],"source":{"advisory":"GHSA-mjv9-vp6w-3rc9","discovery":"UNKNOWN"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T14:28:51.668Z"},"title":"CVE Program Container","references":[{"name":"https://github.com/awslabs/aws-sdk-rust/security/advisories/GHSA-mjv9-vp6w-3rc9","tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/awslabs/aws-sdk-rust/security/advisories/GHSA-mjv9-vp6w-3rc9"}]},{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-532","lang":"en","description":"CWE-532 Insertion of Sensitive Information into Log File"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"NONE","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-02-05T14:55:09.619592Z","id":"CVE-2023-30610","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-05T14:56:14.270Z"}}]}}