CVE-2021-3684 — OpenShift Assisted Installer leaks image pull secrets as plaintext in installati

Description

A vulnerability was found in OpenShift Assisted Installer. During generation of the Discovery ISO, image pull secrets were leaked as plaintext in the installation logs. An authenticated user could exploit this by re-using the image pull secret to pull container images from the registry as the associated user.

How to fix CVE-2021-3684

To remediate CVE-2021-3684, upgrade the affected package to a fixed version below.

—upgrade to 1.0.25.1 or later

Is CVE-2021-3684 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.0.25.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-3684
PATCHgithub.com/openshift/assisted-installer
WEBbugzilla.redhat.com/show_bug.cgi?id=1985962
WEBgithub.com/openshift/assisted-installer/commit/2403dad3795406f2c5d923af0894e07bc8b0bdc4