Laf is a cloud development platform. Prior to version 1.0.0-beta.13, the control of LAF app enV is not strict enough, and in certain scenarios of privatization environment, it may lead to sensitive information leakage in secret and configmap. In ES6 syntax, if an obj directly references another obj, the name of the obj itself will be used as the key, and the entire object structure will be integrated intact. When constructing the deployment instance of the app, env was found from the database and directly inserted into the template, resulting in controllability here. Sensitive information in the secret and configmap can be read through the k8s envFrom field. In a privatization environment, when namespaceConf. fixed is marked, it may lead to the leakage of sensitive information in the system. As of time of publication, it is unclear whether any patches or workarounds exist.
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Laf | Laf | 0.1.5 (including) | 0.1.5 (including) |
| Laf | Laf | 0.4.0 (including) | 0.4.0 (including) |
| Laf | Laf | 0.4.1 (including) | 0.4.1 (including) |
| Laf | Laf | 0.4.2 (including) | 0.4.2 (including) |
| Laf | Laf | 0.4.3 (including) | 0.4.3 (including) |
| Laf | Laf | 0.4.4 (including) | 0.4.4 (including) |
| Laf | Laf | 0.4.5 (including) | 0.4.5 (including) |
| Laf | Laf | 0.4.6 (including) | 0.4.6 (including) |
| Laf | Laf | 0.4.7 (including) | 0.4.7 (including) |
| Laf | Laf | 0.4.8 (including) | 0.4.8 (including) |
| Laf | Laf | 0.4.9 (including) | 0.4.9 (including) |
| Laf | Laf | 0.4.10 (including) | 0.4.10 (including) |
| Laf | Laf | 0.4.11 (including) | 0.4.11 (including) |
| Laf | Laf | 0.4.12 (including) | 0.4.12 (including) |
| Laf | Laf | 0.4.13 (including) | 0.4.13 (including) |
| Laf | Laf | 0.4.14 (including) | 0.4.14 (including) |
| Laf | Laf | 0.4.15 (including) | 0.4.15 (including) |
| Laf | Laf | 0.4.16 (including) | 0.4.16 (including) |
| Laf | Laf | 0.4.17 (including) | 0.4.17 (including) |
| Laf | Laf | 0.4.18 (including) | 0.4.18 (including) |
| Laf | Laf | 0.4.19 (including) | 0.4.19 (including) |
| Laf | Laf | 0.4.20 (including) | 0.4.20 (including) |
| Laf | Laf | 0.4.21-alpha0 (including) | 0.4.21-alpha0 (including) |
| Laf | Laf | 0.5.0 (including) | 0.5.0 (including) |
| Laf | Laf | 0.5.0-alpha0 (including) | 0.5.0-alpha0 (including) |
| Laf | Laf | 0.5.0-alpha1 (including) | 0.5.0-alpha1 (including) |
| Laf | Laf | 0.5.0-alpha2 (including) | 0.5.0-alpha2 (including) |
| Laf | Laf | 0.5.0-alpha3 (including) | 0.5.0-alpha3 (including) |
| Laf | Laf | 0.5.1 (including) | 0.5.1 (including) |
| Laf | Laf | 0.5.1-alpha0 (including) | 0.5.1-alpha0 (including) |
| Laf | Laf | 0.5.2 (including) | 0.5.2 (including) |
| Laf | Laf | 0.5.2-alpha0 (including) | 0.5.2-alpha0 (including) |
| Laf | Laf | 0.5.3 (including) | 0.5.3 (including) |
| Laf | Laf | 0.5.4 (including) | 0.5.4 (including) |
| Laf | Laf | 0.5.4-alpha0 (including) | 0.5.4-alpha0 (including) |
| Laf | Laf | 0.5.5 (including) | 0.5.5 (including) |
| Laf | Laf | 0.5.5-alpha0 (including) | 0.5.5-alpha0 (including) |
| Laf | Laf | 0.5.6 (including) | 0.5.6 (including) |
| Laf | Laf | 0.5.7 (including) | 0.5.7 (including) |
| Laf | Laf | 0.5.7-alpha0 (including) | 0.5.7-alpha0 (including) |
| Laf | Laf | 0.5.8-alpha0 (including) | 0.5.8-alpha0 (including) |
| Laf | Laf | 0.6.0 (including) | 0.6.0 (including) |
| Laf | Laf | 0.6.0-alpha0 (including) | 0.6.0-alpha0 (including) |
| Laf | Laf | 0.6.0-alpha1 (including) | 0.6.0-alpha1 (including) |
| Laf | Laf | 0.6.0-alpha10 (including) | 0.6.0-alpha10 (including) |
| Laf | Laf | 0.6.0-alpha2 (including) | 0.6.0-alpha2 (including) |
| Laf | Laf | 0.6.0-alpha3 (including) | 0.6.0-alpha3 (including) |
| Laf | Laf | 0.6.0-alpha4 (including) | 0.6.0-alpha4 (including) |
| Laf | Laf | 0.6.0-alpha5 (including) | 0.6.0-alpha5 (including) |
| Laf | Laf | 0.6.0-alpha6 (including) | 0.6.0-alpha6 (including) |
| Laf | Laf | 0.6.0-alpha7 (including) | 0.6.0-alpha7 (including) |
| Laf | Laf | 0.6.0-alpha8 (including) | 0.6.0-alpha8 (including) |
| Laf | Laf | 0.6.0-alpha9 (including) | 0.6.0-alpha9 (including) |
| Laf | Laf | 0.6.1 (including) | 0.6.1 (including) |
| Laf | Laf | 0.6.2 (including) | 0.6.2 (including) |
| Laf | Laf | 0.6.3 (including) | 0.6.3 (including) |
| Laf | Laf | 0.6.4 (including) | 0.6.4 (including) |
| Laf | Laf | 0.6.5 (including) | 0.6.5 (including) |
| Laf | Laf | 0.6.6 (including) | 0.6.6 (including) |
| Laf | Laf | 0.6.7 (including) | 0.6.7 (including) |
| Laf | Laf | 0.6.8 (including) | 0.6.8 (including) |
| Laf | Laf | 0.6.9 (including) | 0.6.9 (including) |
| Laf | Laf | 0.6.10 (including) | 0.6.10 (including) |
| Laf | Laf | 0.6.11 (including) | 0.6.11 (including) |
| Laf | Laf | 0.6.12 (including) | 0.6.12 (including) |
| Laf | Laf | 0.6.13 (including) | 0.6.13 (including) |
| Laf | Laf | 0.6.14 (including) | 0.6.14 (including) |
| Laf | Laf | 0.6.15 (including) | 0.6.15 (including) |
| Laf | Laf | 0.6.16 (including) | 0.6.16 (including) |
| Laf | Laf | 0.6.17 (including) | 0.6.17 (including) |
| Laf | Laf | 0.6.18 (including) | 0.6.18 (including) |
| Laf | Laf | 0.6.19 (including) | 0.6.19 (including) |
| Laf | Laf | 0.6.20 (including) | 0.6.20 (including) |
| Laf | Laf | 0.6.21 (including) | 0.6.21 (including) |
| Laf | Laf | 0.6.22 (including) | 0.6.22 (including) |
| Laf | Laf | 0.6.23 (including) | 0.6.23 (including) |
| Laf | Laf | 0.7.0 (including) | 0.7.0 (including) |
| Laf | Laf | 0.7.1 (including) | 0.7.1 (including) |
| Laf | Laf | 0.7.2 (including) | 0.7.2 (including) |
| Laf | Laf | 0.7.3 (including) | 0.7.3 (including) |
| Laf | Laf | 0.7.4 (including) | 0.7.4 (including) |
| Laf | Laf | 0.7.5 (including) | 0.7.5 (including) |
| Laf | Laf | 0.7.6 (including) | 0.7.6 (including) |
| Laf | Laf | 0.7.7 (including) | 0.7.7 (including) |
| Laf | Laf | 0.7.8 (including) | 0.7.8 (including) |
| Laf | Laf | 0.7.9 (including) | 0.7.9 (including) |
| Laf | Laf | 0.7.10 (including) | 0.7.10 (including) |
| Laf | Laf | 0.7.11 (including) | 0.7.11 (including) |
| Laf | Laf | 0.8.0 (including) | 0.8.0 (including) |
| Laf | Laf | 0.8.0-alpha0 (including) | 0.8.0-alpha0 (including) |
| Laf | Laf | 0.8.0-alpha1 (including) | 0.8.0-alpha1 (including) |
| Laf | Laf | 0.8.0-alpha10 (including) | 0.8.0-alpha10 (including) |
| Laf | Laf | 0.8.0-alpha11 (including) | 0.8.0-alpha11 (including) |
| Laf | Laf | 0.8.0-alpha2 (including) | 0.8.0-alpha2 (including) |
| Laf | Laf | 0.8.0-alpha3 (including) | 0.8.0-alpha3 (including) |
| Laf | Laf | 0.8.0-alpha4 (including) | 0.8.0-alpha4 (including) |
| Laf | Laf | 0.8.0-alpha5 (including) | 0.8.0-alpha5 (including) |
| Laf | Laf | 0.8.0-alpha6 (including) | 0.8.0-alpha6 (including) |
| Laf | Laf | 0.8.0-alpha7 (including) | 0.8.0-alpha7 (including) |
| Laf | Laf | 0.8.0-alpha8 (including) | 0.8.0-alpha8 (including) |
| Laf | Laf | 0.8.0-alpha9 (including) | 0.8.0-alpha9 (including) |
| Laf | Laf | 0.8.1 (including) | 0.8.1 (including) |
| Laf | Laf | 0.8.2 (including) | 0.8.2 (including) |
| Laf | Laf | 0.8.3 (including) | 0.8.3 (including) |
| Laf | Laf | 0.8.4 (including) | 0.8.4 (including) |
| Laf | Laf | 0.8.5 (including) | 0.8.5 (including) |
| Laf | Laf | 0.8.5-alpha0 (including) | 0.8.5-alpha0 (including) |
| Laf | Laf | 0.8.6 (including) | 0.8.6 (including) |
| Laf | Laf | 0.8.7 (including) | 0.8.7 (including) |
| Laf | Laf | 0.8.7-alpha0 (including) | 0.8.7-alpha0 (including) |
| Laf | Laf | 0.8.7-alpha1 (including) | 0.8.7-alpha1 (including) |
| Laf | Laf | 0.8.7-alpha2 (including) | 0.8.7-alpha2 (including) |
| Laf | Laf | 0.8.7-alpha3 (including) | 0.8.7-alpha3 (including) |
| Laf | Laf | 0.8.8 (including) | 0.8.8 (including) |
| Laf | Laf | 0.8.9 (including) | 0.8.9 (including) |
| Laf | Laf | 0.8.10 (including) | 0.8.10 (including) |
| Laf | Laf | 0.8.11 (including) | 0.8.11 (including) |
| Laf | Laf | 0.8.12 (including) | 0.8.12 (including) |
| Laf | Laf | 0.8.13 (including) | 0.8.13 (including) |
| Laf | Laf | 1.0.0-alpha0 (including) | 1.0.0-alpha0 (including) |
| Laf | Laf | 1.0.0-alpha1 (including) | 1.0.0-alpha1 (including) |
| Laf | Laf | 1.0.0-alpha2 (including) | 1.0.0-alpha2 (including) |
| Laf | Laf | 1.0.0-alpha3 (including) | 1.0.0-alpha3 (including) |
| Laf | Laf | 1.0.0-alpha4 (including) | 1.0.0-alpha4 (including) |
| Laf | Laf | 1.0.0-alpha5 (including) | 1.0.0-alpha5 (including) |
| Laf | Laf | 1.0.0-alpha6 (including) | 1.0.0-alpha6 (including) |
| Laf | Laf | 1.0.0-beta0 (including) | 1.0.0-beta0 (including) |
| Laf | Laf | 1.0.0-beta1 (including) | 1.0.0-beta1 (including) |
| Laf | Laf | 1.0.0-beta10 (including) | 1.0.0-beta10 (including) |
| Laf | Laf | 1.0.0-beta11 (including) | 1.0.0-beta11 (including) |
| Laf | Laf | 1.0.0-beta12 (including) | 1.0.0-beta12 (including) |
| Laf | Laf | 1.0.0-beta13 (including) | 1.0.0-beta13 (including) |
| Laf | Laf | 1.0.0-beta2 (including) | 1.0.0-beta2 (including) |
| Laf | Laf | 1.0.0-beta3 (including) | 1.0.0-beta3 (including) |
| Laf | Laf | 1.0.0-beta4 (including) | 1.0.0-beta4 (including) |
| Laf | Laf | 1.0.0-beta5 (including) | 1.0.0-beta5 (including) |
| Laf | Laf | 1.0.0-beta6 (including) | 1.0.0-beta6 (including) |
| Laf | Laf | 1.0.0-beta7 (including) | 1.0.0-beta7 (including) |
| Laf | Laf | 1.0.0-beta8 (including) | 1.0.0-beta8 (including) |
| Laf | Laf | 1.0.0-beta9 (including) | 1.0.0-beta9 (including) |
There are many different kinds of mistakes that introduce information exposures. The severity of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. Some kinds of sensitive information include:
Information might be sensitive to different parties, each of which may have their own expectations for whether the information should be protected. These parties include:
Information exposures can occur in different ways:
It is common practice to describe any loss of confidentiality as an “information exposure,” but this can lead to overuse of CWE-200 in CWE mapping. From the CWE perspective, loss of confidentiality is a technical impact that can arise from dozens of different weaknesses, such as insecure file permissions or out-of-bounds read. CWE-200 and its lower-level descendants are intended to cover the mistakes that occur in behaviors that explicitly manage, store, transfer, or cleanse sensitive information.