Snyk CLI Insertion of Sensitive Information into Log File Vulnerability

A vulnerability exists in the Snyk CLI tool, specifically in versions prior to 1.1297.3, allowing for the unintentional logging of sensitive information. This issue arises when the CLI is run in debug mode, particularly with the log level set to TRACE. Under these conditions, container registry credentials provided through environment variables or command line arguments can be exposed in the local Snyk CLI debug logs. The vulnerability also extends to Snyk access and refresh tokens when the 'snyk auth' command is used with debug and TRACE log level.

Impact

Exploitation of this vulnerability can lead to the exposure of sensitive credentials, including container registry usernames and passwords, as well as Snyk access and refresh tokens, all of which can be written into the local CLI debug logs.

Reproduction

To reproduce this vulnerability, execute Snyk CLI commands such as 'snyk container test' or 'snyk container monitor' against a container registry. Ensure that debug mode is enabled and that the SNYK_REGISTRY_USERNAME and SNYK_REGISTRY_PASSWORD environment variables are set with your container registry credentials. Alternatively, you can provide the credentials directly through the command line using the --username and --password options. After running the command, check the local Snyk CLI debug log to find the exposed credentials.

Remediation

Users can upgrade to Snyk CLI version 1.1297.3 or later, where this vulnerability has been addressed.