{"id":"RUSTSEC-2024-0358","summary":"Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files","details":"Exposure of temporary credentials in logs in Apache Arrow Rust Object Store,\nversion 0.10.1 and earlier on all platforms using AWS WebIdentityTokens.\n\nOn certain error conditions, the logs may contain the OIDC token passed to\n[AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html).\nThis allows someone with access to the logs to impersonate that identity,\nincluding performing their own calls to AssumeRoleWithWebIdentity, until the\nOIDC token expires. Typically OIDC tokens are valid for up to an hour, although\nthis will vary depending on the issuer.\n\nUsers are recommended to use a different AWS authentication mechanism, disable\nlogging or upgrade to version 0.10.2, which fixes this issue.\n\n## Details\n\nWhen using AWS WebIdentityTokens with the `object_store` crate, in the event of\na failure and automatic retry, the underlying `reqwest` error, including the\nfull URL with the credentials, potentially in the parameters, is written to the\nlogs.\n\nThanks to Paul Hatcherian for reporting this vulnerability","aliases":["CVE-2024-41178","GHSA-c2hf-vcmr-qjrf"],"modified":"2025-10-28T06:02:18Z","published":"2024-07-23T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/object_store"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2024-0358.html"},{"type":"WEB","url":"https://github.com/apache/arrow-rs/pull/6074"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2024/07/23/3"}],"affected":[{"package":{"name":"object_store","ecosystem":"crates.io","purl":"pkg:cargo/object_store"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.5.0"},{"fixed":"0.10.2"}]}],"ecosystem_specific":{"affects":{"arch":[],"os":[],"functions":[]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0358.json","informational":null,"cvss":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N","categories":[]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"}]}