CVE-2025-2181 Checkov by Prisma Cloud: Cleartext Exposure of Credentials
Description
A sensitive information disclosure vulnerability in Palo Alto Networks Checkov by Prisma® Cloud can result in the cleartext exposure of Prisma Cloud access keys in Checkov's output.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Checkov by Prisma Cloud 3.2.0 | < 3.2.449 | >= 3.2.449 |
Required Configuration for Exposure
No special configuration is required to be affected by this issue.
Severity: LOW, Suggested Urgency: MODERATE
Attacker finds a Prisma Cloud access key in a Checkov output file that a user uploaded to an insecure location.
LOW
- CVSS-BT: 2.0 /CVSS-B: 5.9 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Attacker gains access to a system and then finds a Checkov output file that contains an exposed Prisma Cloud access key.
LOW
- CVSS-BT: 1.7 /CVSS-B: 5.1 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-312 Cleartext Storage of Sensitive Information
CAPEC-37 Retrieve Embedded Sensitive Data
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| Checkov by Prisma Cloud 3.2 |
3.2.0 through 3.2.448 | Upgrade to 3.2.449 or later. |
Checkov integration in Prisma Cloud is upgraded automatically when new versions become available. All Prisma Cloud access keys used by Checkov should be rotated after upgrading to a fixed version (this step is recommended for all modes of using Checkov).
Workarounds and Mitigations
No known workarounds exist for this issue.
Acknowledgments
CPE Applicability
- cpe:2.3:a:palo_alto_networks:checkov_by_prisma_cloud:*:*:*:*:*:*:*:* is vulnerable from (including)3.2.0 and up to (excluding)3.2.449