Organizations could have their sensitive information compromised through a high-severity vulnerability in Google Cloud, Azure, and Amazon Web Services command line interface tools dubbed "LeakyCLI," The Hacker News reports.
Such a flaw, tracked as CVE-2023-36052, has already resulted in unintended access token and sensitive information leakages by GitHub projects on GitHub Actions, TravisCI, CircleCI, and Cloud Build logs, which could be leveraged by threat actors to facilitate further malicious activity, according to a report from Orca Security.
"If bad actors get their hands on these environment variables, this could potentially lead to view sensitive information including credentials, such as passwords, user names, and keys, which could allow them to access any resources that the repository owners can," said Orca Security researcher Roi Nisimi.
While the bug has already been addressed by Microsoft in November, both Amazon and Google noted the issue as expected behavior which should prompt the utilization of dedicated secrets storage services.
