{
  "schema_version": "1.4.0",
  "id": "GHSA-jp7v-3587-2956",
  "modified": "2023-02-08T21:38:46Z",
  "published": "2023-02-08T21:38:46Z",
  "aliases": [
    "CVE-2023-24827"
  ],
  "summary": "Credential disclosure in syft when SYFT_ATTEST_PASSWORD environment variable set",
  "details": "A password disclosure flaw was found in Syft versions v0.69.0 and v0.69.1. This flaw leaks the password stored in the SYFT_ATTEST_PASSWORD environment variable.\n\n### Impact\nThe `SYFT_ATTEST_PASSWORD` environment variable is for the `syft attest` command to generate attested SBOMs for the given container image. This environment variable is used to decrypt the private key (provided with `syft attest --key <path-to-key-file>`)  during the signing process while generating an SBOM attestation. \n\nThis vulnerability affects users running syft that have the `SYFT_ATTEST_PASSWORD` environment variable set with credentials (regardless of if the attest command is being used or not). Users that do not have the environment variable `SYFT_ATTEST_PASSWORD` set are not affected by this issue.\n\nThe credentials are leaked in two ways:\n- in the syft logs when `-vv` or `-vvv` are used in the syft command (which is any log level >= `DEBUG`)\n- in the attestation or SBOM only when the `syft-json` format is used \n\nNote that as of v0.69.0 any generated attestations by the `syft attest` command are uploaded to the OCI registry (if you have write access to that registry) in the same way `cosign attach` is done. This means that any attestations generated for the affected versions of syft when the `SYFT_ATTEST_PASSWORD` environment variable was set would leak credentials in the attestation payload uploaded to the OCI registry.\n\nExample commands run from affected versions of syft that show the credential disclosure:\n```bash\n$ SYFT_ATTEST_PASSWORD=123456 syft <container-image-or-directory-input> -o syft-json | grep 123456\n# \"123456\" is in the output\n\n$ SYFT_ATTEST_PASSWORD=123456 syft attest <container-image-input> -o syft-json \n$ cosign download attestation <container-image-input> | jq -r '.payload' | base64 -d | grep 123456\n# \"123456\" is in the output\n```\n\n### Patches\n\nThe patch has been released in v0.70.0.\n\n### Workarounds\n\nThere are no workarounds for this vulnerability.\n\n### References\n\nPatch pull request: https://github.com/anchore/syft/pull/1538",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/anchore/syft"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0.69.0"
            },
            {
              "fixed": "0.70.0"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/anchore/syft/security/advisories/GHSA-jp7v-3587-2956"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24827"
    },
    {
      "type": "WEB",
      "url": "https://github.com/anchore/syft/commit/9995950c70e849f9921919faffbfcf46401f71f3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/anchore/syft"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-532"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-08T21:38:46Z",
    "nvd_published_at": "2023-02-07T01:15:00Z"
  }
}