Insufficiently protected credentials in SCS Library Client - CVE-2022-23538
Published: January 23, 2023
Vulnerability identifier: #VU71422
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-23538
CWE-ID: CWE-522
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Sylabs
Affected software:
SCS Library Client
SCS Library Client
Detailed vulnerability description
The vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to insufficiently protected credentials when pulling container images. A remote administrator can obtain the HTTP Authorization header.
How to mitigate CVE-2022-23538
Install updates from vendor's website.
Sources
- https://github.com/sylabs/scs-library-client/commit/68ac4cab5cda0afd8758ff5b5e2e57be6a22fcfa
- https://github.com/sylabs/scs-library-client/commit/b5db2aacba6bf1231f42dd475cc32e6355ab47b2
- https://github.com/sylabs/scs-library-client/commit/eebd7caaab310b1fa803e55b8fc1acd9dcd2d00c
- https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7