Remote Memory Exposure in openwhisk
Moderate severity
GitHub Reviewed
Published
Sep 1, 2020
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Description
Reviewed
Aug 31, 2020
Published to the GitHub Advisory Database
Sep 1, 2020
Last updated
Jan 9, 2023
Versions of
openwhisk
before 3.3.1 are vulnerable to remote memory exposure.When a number is passed to
api_key
, affected versions ofopenwhisk
allocate an uninitialized buffer and send that over network in Authorization header (base64-encoded).Proof of concept:
Recommendation
Update to version 3.3.1 or later.
References