Publish GHSA-c37v-3c8w-crq8

Author: advisory-database[bot]

advisories/github-reviewed/2025/05/GHSA-c37v-3c8w-crq8/GHSA-c37v-3c8w-crq8.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c37v-3c8w-crq8",
-  "modified": "2025-05-22T20:33:39Z",
+  "modified": "2025-05-22T20:52:44Z",
   "published": "2025-05-22T20:33:39Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2025-48374"
+  ],
   "summary": "zot logs secrets",
   "details": "### Summary\nWhen using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup.\n\n### Details\nContainer Image (15.04.2025): ghcr.io/project-zot/zot-linux-amd64:latest\nHere is an example how the configuration can look which causes the above stated problem:\n\n`    http:\n      address: \"0.0.0.0\"\n      port: 5000\n      externalUrl: \"https://zot.example.com\"\n      auth: {\n        failDelay: 1,\n        openid: {\n          providers: {\n            oidc: {\n              name: \"Keycloak\",\n              clientid: \"zot-client-id\",\n              clientsecret: fsdfkmmiwljasdklfsjaskldjfkljewijrf234i52k3j45l,\n              keypath: \"\",\n              issuer: \"https://keycloak.example.com/realms/example\",\n              scopes: [\"openid\"]\n            }\n          }\n        }\n      }\n`\n\n### PoC\nSet up a blank new zot k8s deployment with the code snippet above.\n\n### Impact\nexposure of secrets, on configuring a oidc provider",
   "severity": [