CVE-2023-30610: AWS SDK for Rust will log AWS credentials when TRACE-level logging is enabled for request sending
First published: Wed Apr 19 2023(Updated: )
aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The `aws_sigv4::SigningParams` struct had a derived `Debug` implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is enabled for an SDK, `SigningParams` is printed, thereby revealing those credentials to anyone with access to logs. All users of the AWS SDK for Rust who enabled TRACE-level logging, either globally (e.g. `RUST_LOG=trace`), or for the `aws-sigv4` crate specifically are affected. This issue has been addressed in a set of new releases. Users are advised to upgrade. Users unable to upgrade should disable TRACE-level logging for AWS Rust SDK crates.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Amazon Aws-sigv4 | =0.2.0 | |
| Amazon Aws-sigv4 | =0.3.0 | |
| Amazon Aws-sigv4 | =0.4.1 | |
| Amazon Aws-sigv4 | =0.5.2 | |
| Amazon Aws-sigv4 | =0.6.0 | |
| Amazon Aws-sigv4 | =0.7.0 | |
| Amazon Aws-sigv4 | =0.8.0 | |
| Amazon Aws-sigv4 | =0.9.0 | |
| Amazon Aws-sigv4 | =0.10.1 | |
| Amazon Aws-sigv4 | =0.11.0 | |
| Amazon Aws-sigv4 | =0.12.0 | |
| Amazon Aws-sigv4 | =0.13.0 | |
| Amazon Aws-sigv4 | =0.14.0 | |
| Amazon Aws-sigv4 | =0.15.0 | |
| Amazon Aws-sigv4 | =0.46.0 | |
| Amazon Aws-sigv4 | =0.47.0 | |
| Amazon Aws-sigv4 | =0.48.0 | |
| Amazon Aws-sigv4 | =0.49.0 | |
| Amazon Aws-sigv4 | =0.50.0 | |
| Amazon Aws-sigv4 | =0.51.0 | |
| Amazon Aws-sigv4 | =0.52.0 | |
| Amazon Aws-sigv4 | =0.53.1 | |
| Amazon Aws-sigv4 | =0.54.1 | |
| Amazon Aws-sigv4 | =0.55.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for aws-sigv4?
The vulnerability ID for aws-sigv4 is CVE-2023-30610.
What is the severity of CVE-2023-30610?
The severity of CVE-2023-30610 is medium.
Which versions of aws-sigv4 are affected by CVE-2023-30610?
Versions 0.2.0 to 0.55.0 of aws-sigv4 are affected by CVE-2023-30610.
What is the CWE ID for CVE-2023-30610?
The CWE ID for CVE-2023-30610 is 532.
Where can I find more information about CVE-2023-30610?
You can find more information about CVE-2023-30610 [here](https://github.com/awslabs/aws-sdk-rust/security/advisories/GHSA-mjv9-vp6w-3rc9).
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/references
- agent/severity
- agent/title
- agent/weakness
- agent/tags
- agent/event
- agent/first-publish-date
- agent/description
- vendor/amazon
- canonical/amazon aws-sigv4
- version/amazon aws-sigv4/0.2.0
- version/amazon aws-sigv4/0.3.0
- version/amazon aws-sigv4/0.4.1
- version/amazon aws-sigv4/0.5.2
- version/amazon aws-sigv4/0.6.0
- version/amazon aws-sigv4/0.7.0
- version/amazon aws-sigv4/0.8.0
- version/amazon aws-sigv4/0.9.0
- version/amazon aws-sigv4/0.10.1
- version/amazon aws-sigv4/0.11.0
- version/amazon aws-sigv4/0.12.0
- version/amazon aws-sigv4/0.13.0
- version/amazon aws-sigv4/0.14.0
- version/amazon aws-sigv4/0.15.0
- version/amazon aws-sigv4/0.46.0
- version/amazon aws-sigv4/0.47.0
- version/amazon aws-sigv4/0.48.0
- version/amazon aws-sigv4/0.49.0
- version/amazon aws-sigv4/0.50.0
- version/amazon aws-sigv4/0.51.0
- version/amazon aws-sigv4/0.52.0
- version/amazon aws-sigv4/0.53.1
- version/amazon aws-sigv4/0.54.1
- version/amazon aws-sigv4/0.55.0