Vulnerability Details : CVE-2023-3361
A flaw was found in Red Hat OpenShift Data Science. When exporting a pipeline from the Elyra notebook pipeline editor as Python DSL or YAML, it reads S3 credentials from the cluster (ds pipeline server) and saves them in plain text in the generated output instead of an ID for a Kubernetes secret.
Products affected by CVE-2023-3361
- cpe:2.3:a:redhat:openshift_data_science:-:*:*:*:*:*:*:*
- cpe:2.3:a:opendatahub:open_data_hub_dashboard:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-3361
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 44 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-3361
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | |
7.7
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
3.1
|
4.0
|
Red Hat, Inc. |
CWE ids for CVE-2023-3361
-
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-3361
-
https://access.redhat.com/security/cve/CVE-2023-3361
CVE-2023-3361- Red Hat Customer PortalThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=2216588
2216588 – (CVE-2023-3361) CVE-2023-3361 odh-dashboard: s3 credentials included when exporting elyra notebookIssue Tracking;Third Party Advisory
-
https://github.com/opendatahub-io/odh-dashboard/issues/1415
[Feature Request]: Switch to kubernets_secret option in place of user_credential option on elyrasecret · Issue #1415 · opendatahub-io/odh-dashboard · GitHubIssue Tracking
Jump to