Vulnerability Description
A flaw was found in Red Hat OpenShift Data Science. When exporting a pipeline from the Elyra notebook pipeline editor as Python DSL or YAML, it reads S3 credentials from the cluster (ds pipeline server) and saves them in plain text in the generated output instead of an ID for a Kubernetes secret.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Opendatahub | Open Data Hub Dashboard | < 1.28.1 |
| Redhat | Openshift Data Science | - |
Related Weaknesses (CWE)
References
- https://access.redhat.com/security/cve/CVE-2023-3361Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2216588Issue TrackingThird Party Advisory
- https://github.com/opendatahub-io/odh-dashboard/issues/1415Issue Tracking
- https://access.redhat.com/security/cve/CVE-2023-3361Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2216588Issue TrackingThird Party Advisory
- https://github.com/opendatahub-io/odh-dashboard/issues/1415Issue Tracking
FAQ
What is CVE-2023-3361?
CVE-2023-3361 is a vulnerability with a CVSS score of 7.7 (HIGH). A flaw was found in Red Hat OpenShift Data Science. When exporting a pipeline from the Elyra notebook pipeline editor as Python DSL or YAML, it reads S3 credentials from the cluster (ds pipeline serve...
How severe is CVE-2023-3361?
CVE-2023-3361 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-3361?
Check the references section above for vendor advisories and patch information. Affected products include: Opendatahub Open Data Hub Dashboard, Redhat Openshift Data Science.