{"id":"GO-2023-1497","summary":"Leaked user credentials in github.com/sylabs/scs-library-client","details":"When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider.","aliases":["CVE-2022-23538","GHSA-7p8m-22h4-9pj7"],"modified":"2026-03-17T04:29:42.809056Z","published":"2023-02-01T23:23:36Z","database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2023-1497"},"references":[{"type":"FIX","url":"https://github.com/sylabs/scs-library-client/commit/68ac4cab5cda0afd8758ff5b5e2e57be6a22fcfa"},{"type":"FIX","url":"https://github.com/sylabs/scs-library-client/commit/eebd7caaab310b1fa803e55b8fc1acd9dcd2d00c"}],"affected":[{"package":{"name":"github.com/sylabs/scs-library-client","ecosystem":"Go","purl":"pkg:golang/github.com/sylabs/scs-library-client"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.3.4"}]}],"ecosystem_specific":{"imports":[{"symbols":["Client.ConcurrentDownloadImage","Client.UploadImage","Client.httpGetRangeRequest"],"path":"github.com/sylabs/scs-library-client/client"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-1497.json"}},{"package":{"name":"github.com/sylabs/scs-library-client","ecosystem":"Go","purl":"pkg:golang/github.com/sylabs/scs-library-client"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.4.0"},{"fixed":"1.4.2"}]}],"ecosystem_specific":{"imports":[{"symbols":["Client.ConcurrentDownloadImage","Client.legacyDownloadImage"],"path":"github.com/sylabs/scs-library-client/client"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-1497.json"}}],"schema_version":"1.7.5"}