CVE-2023-24827

Name of the Vulnerable Software and Affected Versions syft versions v0.69.0 through v0.69.1

Description A password disclosure flaw was found in syft, which leaks the password stored in the SYFT ATTEST PASSWORD environment variable. This variable is used to decrypt the private key during the signing process while generating an SBOM attestation. The credentials are leaked in two ways: in the syft logs when -vv or -vvv are used in the syft command and in the attestation or SBOM only when the syft-json format is used. This vulnerability affects users running syft that have the SYFT ATTEST PASSWORD environment variable set with credentials. Note that any generated attestations by the syft attest command are uploaded to the OCI registry, which means that any attestations generated for the affected versions of syft when the SYFT ATTEST PASSWORD environment variable was set would leak credentials in the attestation payload uploaded to the OCI registry.

Recommendations For syft versions v0.69.0 through v0.69.1, upgrade to version v0.70.0 to resolve the issue. As a temporary workaround, consider removing the SYFT ATTEST PASSWORD environment variable to prevent credential leakage. Restrict access to the syft logs and attestation or SBOM files to minimize the risk of exploitation. Avoid using the syft-json format until the issue is resolved.