CVE-2023-45825

Name of the Vulnerable Software and Affected Versions ydb-go-sdk versions 3.48.6 through 3.53.2

Description The issue concerns a potential leak of sensitive information, such as credentials, into logs when using a custom credentials object with ydb-go-sdk. This occurs because the custom credentials object can be serialized into an error message during connection to the YDB server, using fmt.Errorf("something went wrong (credentials: %q)", credentials). If such logging happened, a malicious user with access to logs could read the sensitive information and use it to gain access to the database. The problem affects applications with custom credentials objects that do not implement the fmt.Stringer interface.

Recommendations For versions 3.48.6 through 3.53.2, upgrade to version 3.53.3 to resolve the issue. For users unable to upgrade, implement the fmt.Stringer interface in your custom credentials type with explicit stringify of object state.