laf logs leak

Laf is a cloud development platform. In the Laf version design, the log uses communication with k8s to quickly retrieve logs from the container without the need for additional storage. However, in version 1.0.0-beta.13 and prior, this interface does not verify the permissions of the pod, which allows authenticated users to obtain any pod logs under the same namespace through this method, thereby obtaining sensitive information printed in the logs. As of time of publication, no known patched versions exist.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

信息暴露

Laf 信息泄露漏洞

Laf是labring实验室的一个云开发平台。 Laf 1.0.0-beta.13及之前版本存在信息泄露漏洞，该漏洞源于允许经过身份验证的攻击者获取同一命名空间下的Pod日志中的敏感信息。

N/A

N/A