Skip to content

API key leak

High
rozbb published GHSA-23g5-r34j-mr8g Mar 13, 2023

Package

cargo readtomyshoe-server (Rust)

Affected versions

< commit 8533b01

Patched versions

commit 8533b01

Description

Impact

If an error occurs when adding an article, the website shows the user an error message. If the error originates from the Google Cloud TTS request, then it will include the full URL of the request. The request URL contains the Google Cloud API key. See below for what this error message looks like, with redaction.

image

Patches

This has been patched in 8533b01. Upgrade as soon as possible.

In addition, delete the current GCP API key and issue a new one.

Workarounds

No workarounds.

References

N/A

Severity

High
7.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CVE ID

CVE-2023-27587

Weaknesses

No CWEs