Reported

November 19, 2022

Issued

February 7, 2023

Package

aliyun-oss-client (crates.io)

Type

Vulnerability

Categories

• crypto-failure

Aliases

• CVE-2022-39397
• GHSA-3w3h-7xgx-grwc

References

• https://github.com/advisories/GHSA-3w3h-7xgx-grwc

CVSS Score

5.6 MEDIUM

CVSS Details

Attack Vector

Physical

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality Impact

High

Integrity Impact

Low

Availability Impact

None

CVSS Vector

CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

Patched

• >=0.8.1

Description

The aliyun-oss-client unintentionally divulges the authentication secret.

This bug was fixed in this commit by limiting the concerned traits to be pub only within the crate.

Advisory available under CC0-1.0 license.