Description
A flaw was found in noobaa-operator in versions before 5.7.0, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. An attacker with access to the log files could use this AuthToken to gain additional access into noobaa deployment and can read/modify system configuration.
References (1)
Core 1
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1955601
Scores
CVSS v3
8.8
EPSS
0.0033
EPSS Percentile
56.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-522
CWE-532
Status
published
Products (1)
redhat/noobaa-operator
< 5.7.0
Published
May 13, 2021
Tracked Since
Feb 18, 2026