Homepage

Insertion of Sensitive Information into Log File Affecting sigs.k8s.io/azurefile-csi-driver/pkg/csi-common package, versions <1.29.4>=1.30.0 <1.30.1

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (19th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Insertion of Sensitive Information into Log File vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-SIGSK8SIOAZUREFILECSIDRIVERPKGCSICOMMON-6842383
  • published5 Jun 2024
  • disclosed15 May 2024
  • creditRita Zhang
Report a new vulnerability Found a mistake?

Introduced: 15 May 2024

CVE-2024-3744  (opens in a new tab)
CWE-532  (opens in a new tab)

How to fix?

Upgrade sigs.k8s.io/azurefile-csi-driver/pkg/csi-common to version 1.29.4, 1.30.1 or higher.

Overview

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File through the logging of service account tokens. An attacker can gain unauthorized access to cloud resources by exploiting exposed tokens in driver logs.

Notes:

You may be vulnerable if TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

To check if token requests are configured, run the following command: kubectl get csidriver file.csi.azure.com -o jsonpath="{.spec.tokenRequests}"

To check if tokens are being logged, examine the secrets-store container log: kubectl logs csi-azurefile-controller-56bfddd689-dh5tk -c azurefile -f | grep --line-buffered "csi.storage.k8s.io/serviceAccount.tokens"

Workaround

Prior to upgrading, this vulnerability can be mitigated by running azure-file-csi-driver at log level 0 or 1 via the -v flag.

CVSS Base Scores

version 3.1