CVE-2022-1650 Unauthorized access to sensitive information in eventsource/eventsource repository before v2.0.2.

We recently discovered an issue in which unauthenticated end-users could access sensitive information, such as private SSH keys, when creating new SSH or GCE credentials. The information was accessible when creating eventsource/eventsource and may have been accessed by other unauthenticated end-users and even malicious actors. We fixed this issue with the release of v2.0.2. This issue did not allow an attacker to obtain access to sensitive information, such as SSH keys and GCP Project access.

Vulnerability summary

A vulnerability in the event source/eventsource endpoint was discovered that allowed unauthenticated end-users to access sensitive information, such as private SSH keys. This issue did not allow an attacker to obtain access to sensitive information, such as SSH keys and GCP Project access.

What is Eventsource?

Eventsource is an application programming interface (API) for Python that enables other applications to receive notifications about key events and updates, such as changes in a model's or table's state. It is the primary way for BigQuery users to receive data about the status of their queries and plans. We recommend updating your Eventsource configuration before proceeding with any workflows that use it.

Vulnerability Summary

A vulnerability has been discovered in the Google Cloud Platform (GCP) credential management service, called eventsource. This vulnerability allowed unauthenticated end-users to access sensitive information without authentication, such as private SSH keys, when creating new SSH or GCE credentials. Even if they did not have permission to access these resources, they could still obtain this information by using the eventsource endpoint.
This issue was fixed with the release of v2.0.2 for GCE and v2.0.4 for SSH key management.

What is an SSH key and why should we care?

SSH keys are used to authenticate with a remote system and are the most common type of cryptographic key. SSH keys can be used for many different purposes including:
- Accessing GCE instances for development or testing
- Accessing your instance on Kubernetes (K8S) clusters
- Connecting to Amazon EC2 instances in order to use their features, such as RDS and ELB
- Using pREST API client libraries for API access
If you do not know what an SSH key is, then you have likely never created one before. As long as there is no way for other people to see them, they can be used to communicate with any system that utilizes SSH. If someone has access to your private keys, they would also be able to impersonate you on any remote site. They could also access "root" credentials on your remote site. This means they would have full control over the server without having any authentication themselves.

Fixed in v2.0.2

We recently discovered an issue in which unauthenticated end-users could access sensitive information, such as private SSH keys, when creating new SSH or GCE credentials. The information was accessible when creating eventsource/eventsource and may have been accessed by other unauthenticated end-users and even malicious actors. We fixed this issue with the release of v2.0.2. This issue did not allow an attacker to obtain access to sensitive information, such as SSH keys and GCP Project access.

Timeline

Published on: 05/12/2022 11:15:00 UTC
Last modified on: 05/31/2022 15:43:00 UTC

References

• https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e
• https://github.com/eventsource/eventsource/commit/10ee0c4881a6ba2fe65ec18ed195ac35889583c4
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1650