Headline
GHSA-26hr-q2wp-rvc5: User with permission to write actions can impersonate another user when auth token is configured in environment variable
Impact
When lakeFS is configured with ALL of the following:
- Configuration option
auth.encrypt.secret_keypassed through environment variable - Actions enabled via configuration option
actions.enabled(default enabled)
then a user who can configure an action can impersonate any other user.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
ANY ONE of these is sufficient to prevent the issue:
Do not pass
auth.encrypt.secret_keythrough an environment variable.For instance, Kubernetes users can generate the entire configuration as a secret and mount that. This is described here.
Disable actions.
Limit users allowed to configure actions.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-26hr-q2wp-rvc5
User with permission to write actions can impersonate another user when auth token is configured in environment variable
Moderate severity GitHub Reviewed Published Dec 10, 2023 in treeverse/lakeFS • Updated Dec 12, 2023
Package
gomod github.com/treeverse/lakefs (Go)
Affected versions
< 1.3.1
Impact
When lakeFS is configured with ALL of the following:
- Configuration option auth.encrypt.secret_key passed through environment variable
- Actions enabled via configuration option actions.enabled (default enabled)
then a user who can configure an action can impersonate any other user.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
ANY ONE of these is sufficient to prevent the issue:
Do not pass auth.encrypt.secret_key through an environment variable.
For instance, Kubernetes users can generate the entire configuration as a secret and mount that. This is described here.
Disable actions.
Limit users allowed to configure actions.
References
- GHSA-26hr-q2wp-rvc5
Published to the GitHub Advisory Database
Dec 12, 2023
Last updated
Dec 12, 2023