CVE-2023-25164

2023-02-0820:15:24

CWE-532

CWE-200

GitHub_M

web.nvd.nist.gov

tinacms

git-backed

headless cms

content management system

@tinacms/cli

vulnerability

cve-2023-25164

sensitive values

environment variables

upgrade

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

AI Score

7.2

Confidence

High

EPSS

0.002

Percentile

53.0%

JSON

Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli >= 1.0.0 && < 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you’re on a version prior to 1.0.0 this vulnerability does not affect you. If you are affected and your Tina-enabled website has sensitive credentials stored as environment variables (eg. Algolia API keys) you should rotate those keys immediately. This issue has been patched in @tinacms/[email protected]. Users are advised to upgrade. There are no known workarounds for this issue.

Affected configurations

Nvd

Vulners

Node

tinatinacmsRange1.0.0–1.0.9node.js

VendorProductVersionCPE
tinatinacms*cpe:2.3:a:tina:tinacms:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
tina	tinacms	*	cpe:2.3:a:tina:tinacms::::::node.js::*

CNA Affected

[
  {
    "vendor": "tinacms",
    "product": "tinacms",
    "versions": [
      {
        "version": ">= 1.0.0, < 1.0.9",
        "status": "affected"
      }
    ]
  }
]