AVID-2026-R1244

Description

S3 credentials included when exporting elyra notebook (CVE-2023-3361)

Details

A flaw was found in Red Hat OpenShift Data Science. When exporting a pipeline from the Elyra notebook pipeline editor as Python DSL or YAML, it reads S3 credentials from the cluster (ds pipeline server) and saves them in plain text in the generated output instead of an ID for a Kubernetes secret.

Reason for inclusion in AVID: The CVE describes a software flaw in Red Hat OpenShift Data Science’s Elyra notebook exporter where S3 credentials are saved in plaintext in exported pipeline definitions. This directly concerns AI pipelines/tools used to build/deploy AI systems, representing a software vulnerability in a component (RHODS/Elyra exporter) that lies in the AI software stack. The exposed credentials pose a security risk (credential leakage) in artifacts that can influence AI workflows, aligning with software supply chain risk considerations for AI systems. Sufficient signal is provided by the CVE description and references.

References

• NVD entry
• https://access.redhat.com/security/cve/CVE-2023-3361
• https://bugzilla.redhat.com/show_bug.cgi?id=2216588
• https://github.com/opendatahub-io/odh-dashboard/issues/1415

Affected or Relevant Artifacts

• Developer: n/a, Red Hat
• Deployer: n/a, Red Hat
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2023-10-04
• Version: 0.3.3
• AVID Entry