Description
A flaw was found in Red Hat OpenShift Data Science. When exporting a pipeline from the Elyra notebook pipeline editor as Python DSL or YAML, it reads S3 credentials from the cluster (ds pipeline server) and saves them in plain text in the generated output instead of an ID for a Kubernetes secret.
References (3)
Core 3
Core References
Issue Tracking
https://github.com/opendatahub-io/odh-dashboard/issues/1415
Third Party Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2023-3361
Issue Tracking, Third Party Advisory issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2216588
Scores
CVSS v3
7.7
EPSS
0.0004
EPSS Percentile
12.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-319
CWE-200
Status
published
Products (2)
opendatahub/open_data_hub_dashboard
< 1.28.1
redhat/openshift_data_science
Published
Oct 04, 2023
Tracked Since
Feb 18, 2026