CVE-2024-41178

Name of the Vulnerable Software and Affected Versions Apache Arrow Rust Object Store versions 0.10.1 and earlier

Description The issue is related to the exposure of temporary credentials in logs when using AWS WebIdentityTokens with the object store crate. On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity, allowing someone with access to the logs to impersonate that identity until the OIDC token expires. Typically, OIDC tokens are valid for up to an hour, although this will vary depending on the issuer.

Recommendations For Apache Arrow Rust Object Store version 0.10.1 and earlier, users are recommended to use a different AWS authentication mechanism, disable logging, or upgrade to version 0.10.2, which fixes this issue. As a temporary workaround, consider disabling the logging of errors that include the full URL with credentials to minimize the risk of exploitation. Restrict access to the logs to prevent unauthorized individuals from obtaining the OIDC token.