CVE-2023-24619: 
NixOS vulnerability analysis and mitigation

Redpanda before version 22.3.12 contains a vulnerability where cleartext AWS credentials are exposed through the import functionality in the rpk binary. The vulnerability, identified as CVE-2023-24619, was discovered and disclosed on February 13, 2023. The issue specifically affects the logging of AWS Access Key ID and Secret during import operations (NVD).

The vulnerability exists in the rpk binary's import functionality where it logs AWS credentials (Access Key ID and Secret) in cleartext. This affects the cluster properties 'cloudstoragesecretkey' and 'cloudstorageazureshared_key' when using the rpk cluster config import/edit commands (GitHub PR).

The exposure of AWS credentials in cleartext could allow unauthorized access to AWS resources, potentially leading to data breaches, unauthorized resource usage, and compromise of cloud infrastructure security (NVD).

The issue has been fixed in Redpanda version 22.3.12 and later releases. The fix implements redaction of secret values during import operations, replacing sensitive data with '[redacted]' in the output. Users should upgrade to version 22.3.12 or later to address this vulnerability (GitHub PR).