CVE-2023-48225

HIGH

Laf - Exposure of Sensitive Information via Environment Variable Handling

Title source: llm

Description

Laf is a cloud development platform. Prior to version 1.0.0-beta.13, the control of LAF app enV is not strict enough, and in certain scenarios of privatization environment, it may lead to sensitive information leakage in secret and configmap. In ES6 syntax, if an obj directly references another obj, the name of the obj itself will be used as the key, and the entire object structure will be integrated intact. When constructing the deployment instance of the app, env was found from the database and directly inserted into the template, resulting in controllability here. Sensitive information in the secret and configmap can be read through the k8s envFrom field. In a privatization environment, when `namespaceConf. fixed` is marked, it may lead to the leakage of sensitive information in the system. As of time of publication, it is unclear whether any patches or workarounds exist.

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/labring/laf/security/advisories/GHSA-hv2g-gxx4-fwxp

Product x_refsource_misc

https://github.com/labring/laf/blob/main/server/src/application/environment.controller.ts#L50

Product x_refsource_misc

https://github.com/labring/laf/blob/main/server/src/instance/instance.service.ts#L306

View Writeup ZIP pw:eip

Scores

CVSS v3 8.9

EPSS 0.0080

EPSS Percentile 51.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Details

CWE

CWE-200

Status published

Products (33)

laf/laf 0.1.5

laf/laf 0.4.0

laf/laf 0.4.1

laf/laf 0.4.2

laf/laf 0.4.3

laf/laf 0.4.4

laf/laf 0.4.5

laf/laf 0.4.6

laf/laf 0.4.7

laf/laf 0.4.8

... and 23 more

Published Dec 12, 2023

Tracked Since Feb 18, 2026