GHSA-26hr-q2wp-rvc5: 
vulnerability analysis and mitigation

A moderate severity vulnerability (GHSA-26hr-q2wp-rvc5) was discovered in lakeFS affecting versions prior to 1.3.1. The vulnerability was disclosed on December 10, 2023, and updated on December 12, 2023. The issue affects the lakeFS software when specific configuration conditions are met, potentially allowing users with action writing permissions to impersonate other users (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 6.2 (Moderate), with the following base metrics: Network attack vector, High attack complexity, High privileges required, No user interaction needed, Unchanged scope, High impact on confidentiality and integrity, and Low impact on availability. The CVSS string is CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L (GitHub Advisory).

When successfully exploited, this vulnerability allows a user with action configuration permissions to impersonate any other user in the system. This leads to potential unauthorized access and actions being performed under different user identities, compromising the system's security model (GitHub Advisory).

Several workarounds are available to prevent this issue: 1) Avoid passing auth.encrypt.secret_key through an environment variable - instead, generate the entire configuration as a secret and mount that (particularly relevant for Kubernetes users), 2) Disable actions completely, or 3) Restrict the number of users allowed to configure actions. The vulnerability has been patched in version 1.3.1, and users are advised to upgrade to this version (GitHub Advisory).