CVE-2023-30610: AWS SDK for Rust will log AWS credentials when TRACE-level logging is enabled for request sending
(updated
)
The aws_sigv4::SigningParams struct had a derived Debug implementation. When debug-formatted, it would include a user’s AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is enabled for an SDK, SigningParams is printed, thereby revealing those credentials to anyone with access to logs.
Detect and mitigate CVE-2023-30610 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects
contain no disclosed vulnerabilities.
Learn more about Dependency Scanning →