rustsec · alexanderkjall · Dec 17, 2025
diff --git a/crates/aws-sigv4/RUSTSEC-0000-0000.md b/crates/aws-sigv4/RUSTSEC-0000-0000.md
@@ -0,0 +1,35 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "aws-sigv4"
+date = "2023-04-19"
+url = "https://github.com/awslabs/aws-sdk-rust/security/advisories/GHSA-mjv9-vp6w-3rc9"
+
+cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+keywords = ["information", "leak", "aws", "logs"]
+aliases = ["CVE-2023-30610","GHSA-mjv9-vp6w-3rc9"]
+
+[versions]
+patched = [">= 0.55.1", "0.54.2", "0.53.2", "0.52.1", "0.51.1", "0.50.1", "0.49.1", "0.48.1", "0.47.1", "0.46.1", "0.15.1", "0.14.1", "0.13.1", "0.12.1", "0.11.1", "0.10.2", "0.9.1", "0.8.1", "0.7.1", "0.6.1", "0.5.3", "0.3.1", "0.2.1"]
+
+```
+
+# Logs AWS credentials when TRACE-level logging is enabled
+
+aws-sigv4 is a rust library for low level request signing in the aws cloud platform.
+
+The `aws_sigv4::SigningParams` struct had a derived `Debug` implementation.
+When debug-formatted, it would include a user's AWS access key, AWS secret key,
+and security token in plaintext. When TRACE-level logging is enabled for an SDK,
+`SigningParams` is printed, thereby revealing those credentials to anyone
+with access to logs.
+
+All users of the AWS SDK for Rust who enabled TRACE-level logging,
+either globally (e.g. `RUST_LOG=trace`), or for the `aws-sigv4`
+crate specifically are affected.
+
+This issue has been addressed in a set of new releases.
+
+Users are advised to upgrade.
+
+Users unable to upgrade should disable TRACE-level logging for AWS Rust SDK crates.