Vulnerability DatabaseCVE-2024-41178

CVE-2024-41178:
Rust vulnerability analysis and mitigation

Overview

Apache Arrow Rust Object Store (object_store crate) version 0.10.1 and earlier contains a vulnerability related to the exposure of temporary credentials in logs when using AWS WebIdentityTokens. The vulnerability was discovered by Paul Hatcherian and assigned CVE-2024-41178. The issue affects all platforms using AWS WebIdentityTokens with versions from 0.5.0 through 0.10.1 (Apache Security).

Technical details

The vulnerability occurs when using AWS WebIdentityTokens with the object_store crate. During failure events and automatic retry attempts, the system logs the underlying reqwest error, which includes the full URL containing credentials in the parameters. This exposes the OIDC token that is passed to AssumeRoleWithWebIdentity. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (CISA-ADP).

Impact

An attacker with access to the logs can impersonate the identity associated with the exposed OIDC token and perform their own calls to AssumeRoleWithWebIdentity. The impact is limited by the token's expiration period, which typically lasts up to an hour, though this duration may vary depending on the issuer (Apache Security).

Mitigation and workarounds

Users are recommended to either upgrade to version 0.10.2 which contains the fix, use a different AWS authentication mechanism, or disable logging. The vulnerability has been patched in version 0.10.2 (Apache Security).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

7.5

Score

Published July 23, 2024

Severity HIGH

CNA Score 7.5

Affected Technologies

Rust
Apache Arrow

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 52.4

Exploitation Probability (EPSS) 0.3

Affected packages and libraries

cpe:2.3:a:apache:arrow
object_store

Sources

Chainguard
- Chainguard Has FixAdded at: Aug 08, 2024
GitHub Advisory Database
- Rust Severity MEDIUMHas FixAdded at: Dec 26, 2024
VulnCheck NVD++
- Linux Severity HIGHHas FixAdded at: Nov 11, 2024
Wolfi
- Wolfi Has FixAdded at: Aug 08, 2024
NVD
- Linux Severity HIGHHas FixAdded at: Jul 11, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Rust vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-40323	HIGH	8.9	Rust	sp1_prover	No	Yes	Apr 14, 2026
GHSA-xphw-cqx3-667j	HIGH	7.3	Rust	thin-vec	No	Yes	Apr 15, 2026
CVE-2026-34069	MEDIUM	5.3	Rust	nimiq-consensus	No	No	Apr 14, 2026
GHSA-cq8v-f236-94qc	LOW	N/A	Rust	rand	No	Yes	Apr 14, 2026
RUSTSEC-2026-0099	N/A	N/A	Rust	rustls-webpki	No	Yes	Apr 14, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2024-41178: Rust vulnerability analysis and mitigation