CVE-2022-39397: 
Rust vulnerability analysis and mitigation

aliyun-oss-client, a Rust client for Alibaba Cloud OSS, was found to contain a vulnerability (CVE-2022-39397) where user secrets could be unintentionally disclosed. The vulnerability affects versions prior to 0.8.1 and was discovered and disclosed in November 2022 (GitHub Advisory).

The vulnerability stems from improper handling of secret information in the authentication implementation. The issue was present in the auth.rs file where certain traits and methods were exposing sensitive authentication data. The vulnerability has a CVSS v3.1 base score of 5.6 (Moderate), with attack vector being Physical, attack complexity Low, requiring High privileges and User interaction, with Changed scope (GitHub Advisory).

When using the affected versions of the library, any incoming secrets would be unintentionally disclosed, potentially exposing sensitive authentication credentials to unauthorized parties. This could lead to unauthorized access to Alibaba Cloud OSS resources (GitHub Advisory).

The vulnerability has been patched in versions 0.8.1 and 0.9.0. The fix involved making several traits and methods private to prevent secret exposure, as evidenced by the commit e4553f7. Users are advised to upgrade to these or later versions as there are no alternative workarounds available (GitHub Commit, GitHub Advisory).