CVE-2023-48225

Name of the Vulnerable Software and Affected Versions Laf versions prior to 1.0.0-beta.13

Description Laf is a cloud development platform where the control of LAF app environment variables is not strict enough, potentially leading to sensitive information leakage in secret and configmap. This issue arises in certain scenarios of privatization environment. The problem occurs when an object directly references another object in ES6 syntax, and the entire object structure is integrated intact. Sensitive information can be read through the k8s envFrom field, especially when namespaceConf.fixed is marked in a privatization environment.

Recommendations For versions prior to 1.0.0-beta.13, as a temporary workaround, consider restricting access to sensitive information in the secret and configmap to minimize the risk of exploitation. Avoid using the envFrom field in the k8s configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.