Vulnerability Report: GO-2023-1497

CVE-2022-23538, GHSA-7p8m-22h4-9pj7
Affects: github.com/sylabs/scs-library-client, github.com/sylabs/scs-library-client
Published: Feb 01, 2023
Modified: May 20, 2024

When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider.

Affected Packages

Path

Go Versions

Symbols
github.com/sylabs/scs-library-client/client

before v1.3.4
- Client.ConcurrentDownloadImage
- Client.UploadImage
github.com/sylabs/scs-library-client/client

from v1.4.0 before v1.4.2
- Client.ConcurrentDownloadImage

Aliases

CVE-2022-23538
GHSA-7p8m-22h4-9pj7

References

https://github.com/sylabs/scs-library-client/commit/68ac4cab5cda0afd8758ff5b5e2e57be6a22fcfa
https://github.com/sylabs/scs-library-client/commit/eebd7caaab310b1fa803e55b8fc1acd9dcd2d00c
https://vuln.go.dev/ID/GO-2023-1497.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL