Replicated Classic CVE-2021-42718

SummarySensitive data unnecessarily returned from authenticated API.
Advisory Release Date21 Oct 2021 10 AM PDT (Pacific Time, -7 hours)
ProductReplicated Classic
Affected Replicated Classic Versions
  • < 2.53.1
Patched Replicated Classic Versions
  • 2.53.1 – (all later versions)
CVE ID(s)
  • CVE-2021-42718
Replicated KOTS is not affected by this vulnerability.

Summary of Vulnerability

This advisory discloses a low severity security vulnerability in the versions of Replicated Classic listed above (“Affected Replicated Classic Versions”)

Description

Replicated Classic versions prior to 2.53.1 have an authenticated API from the Replicated Admin Console that may expose sensitive data including application secrets, depending on how the application manifests are written. A user with valid credentials and access to the Admin Console port (8800) on the Replicated Classic server can retrieve container definitions including environment variables which may contain passwords and other secrets depending on how the application is configured. 

This data is shared over authenticated sessions to the Admin Console only, and was never displayed or used in the application processing. To remediate this issue, we removed the sensitive data from the API, sending only the data to the Admin Console that was needed.

Timeline

This issue was discovered during a security review on 16 September 2021.
Patched versions were released on 23 September 2021.
This advisory was embargoed until 21 Oct 2021.

Acknowledgements

Credit for finding and disclosing this vulnerability goes to Stephan Sekula.