Insertion of Sensitive Information into Log File Affecting github.com/apache/solr-operator/controllers package, versions >=0.3.0 <0.8.1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMAPACHESOLROPERATORCONTROLLERS-6613066
- published 14 Apr 2024
- disclosed 12 Apr 2024
- credit Unknown
Introduced: 12 Apr 2024
New CVE-2024-31391 Open this link in a new tabHow to fix?
Upgrade github.com/apache/solr-operator/controllers to version 0.8.1 or higher.
Overview
Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File due to the handling of "healthchecks" including liveness, readiness, and startup probes. An attacker can expose sensitive information, specifically basic auth credentials, by triggering a probe failure when authentication is required for probe endpoints.
Note
Exploiting this vulnerability is possible if .solrOptions.security.authenticationType=basic is used for bootstrapping security and .solrOptions.security.probesRequireAuth=true is set, requiring authentication on probes.
Workaround
This vulnerability can be mitigated by disabling authentication on healthcheck probes using the setting .solrOptions.security.probesRequireAuth=false