User with permission to write actions can impersonate another user when auth token is configured in environment variable
Impact
When lakeFS is configured with ALL of the following:
- Configuration option
auth.encrypt.secret_keypassed through environment variable - Actions enabled via configuration option
actions.enabled(default enabled)
then a user who can configure an action can impersonate any other user.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
ANY ONE of these is sufficient to prevent the issue:
-
Do not pass
auth.encrypt.secret_keythrough an environment variable.For instance, Kubernetes users can generate the entire configuration as a secret and mount that. This is described here.
-
Disable actions.
-
Limit users allowed to configure actions.
| Software | From | Fixed in |
|---|---|---|
github.com/treeverse/lakefs
|
- | 1.3.1 |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime