GHSA-4rgc-5g6r-2rjf: 
vulnerability analysis and mitigation

A high-severity security vulnerability was identified in lakeFS (GHSA-4rgc-5g6r-2rjf) where S3 credentials are exposed in plain text within log messages. The vulnerability affects versions prior to 0.101.0 and was discovered and disclosed in December 2023. The issue was found during the investigation of a related problem and impacts the logging functionality of the lakeFS system (GitHub Advisory).

The vulnerability involves the exposure of sensitive S3 credentials (access key and secret key) in plain text within error log messages. The issue occurs specifically in the diff service functionality, where the credentials are included as part of the log output. The vulnerability has received a CVSS v3.1 score of 8.4 (High), with base metrics indicating Local attack vector, Low attack complexity, No privileges required, and No user interaction needed. The technical assessment shows High impact on Confidentiality, Integrity, and Availability (GitHub Advisory).

The exposure of S3 credentials in plain text logs presents a significant security risk as it could lead to unauthorized access to S3 resources. The vulnerability could potentially allow attackers with access to the logs to obtain valid AWS credentials, which could be used to access, modify, or delete data in the associated S3 buckets (GitHub Advisory).

The vulnerability has been patched in lakeFS version 0.101.0. Users are advised to upgrade to this version or later to address the security issue. For systems that cannot be immediately upgraded, disabling logging might serve as a temporary workaround, though this is not officially confirmed (GitHub Advisory).