CVE-2023-30610: 
Rust vulnerability analysis and mitigation

CVE-2023-30610 affects aws-sigv4, a Rust library for low-level request signing in the AWS cloud platform. The vulnerability was discovered in April 2023 and involves the exposure of AWS credentials through debug logging. The aws_sigv4::SigningParams struct contained a derived Debug implementation that would expose sensitive authentication information when debug-formatted (Vendor Advisory).

The vulnerability stems from the aws_sigv4::SigningParams struct's derived Debug implementation. When debug-formatted, it would expose a user's AWS access key, AWS secret key, and security token in plaintext. This exposure occurs when TRACE-level logging is enabled for the SDK, either globally (using RUST_LOG=trace) or specifically for the aws-sigv4 crate. The vulnerability has a CVSS v3.1 score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability exposes sensitive AWS credentials (access key, secret key, and security token) in plaintext to anyone with access to the logs when TRACE-level logging is enabled. This could potentially lead to unauthorized access to AWS resources if the logs are compromised (Vendor Advisory).

The issue has been patched in multiple versions including 0.55.1, 0.54.2, 0.53.2, 0.52.1, and other corresponding patch releases. Users are advised to upgrade to the patched versions. For those unable to upgrade immediately, the recommended workaround is to disable TRACE-level logging for AWS Rust SDK crates (Vendor Advisory).