Description
Laf is a cloud development platform. In the Laf version design, the log uses communication with k8s to quickly retrieve logs from the container without the need for additional storage. However, in version 1.0.0-beta.13 and prior, this interface does not verify the permissions of the pod, which allows authenticated users to obtain any pod logs under the same namespace through this method, thereby obtaining sensitive information printed in the logs. As of time of publication, no known patched versions exist.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/labring/laf/security/advisories/GHSA-g9c8-wh35-g75f
Third Party Advisory x_refsource_misc
https://github.com/labring/laf/pull/1468
Scores
CVSS v3
9.6
EPSS
0.0005
EPSS Percentile
16.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-532
CWE-200
Status
published
Products (33)
laf/laf
0.1.5
laf/laf
0.4.0
laf/laf
0.4.1
laf/laf
0.4.2
laf/laf
0.4.3
laf/laf
0.4.4
laf/laf
0.4.5
laf/laf
0.4.6
laf/laf
0.4.7
laf/laf
0.4.8
... and 23 more
Published
Jan 03, 2024
Tracked Since
Feb 18, 2026