Reported

November 19, 2022

Issued

February 7, 2023

Package

aliyun-oss-client (crates.io)

Type

Vulnerability

Categories

• crypto-failure

Aliases

• CVE-2022-39397
• GHSA-3w3h-7xgx-grwc

References

• https://github.com/advisories/GHSA-3w3h-7xgx-grwc

CVSS Score

5.6 MEDIUM

CVSS Details

Attack vector

Physical

Attack complexity

Low

Privileges required

High

User interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

CVSS Vector

CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

Patched

• >=0.8.1

Description

The aliyun-oss-client unintentionally divulges the authentication secret.

This bug was fixed in this commit by limiting the concerned traits to be pub only within the crate.

Advisory available under CC0-1.0 license.