GitHub Advisory DatabaseGHSA-H3Q2-8WHX-C29H`goreleaser release --debug` shows secrets
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
Summary
Hello 👋
goreleaser release --debug log shows secret values used in the in the custom publisher.
How to reproduce the issue:
- Define a custom publisher as the one below. Make sure to provide a custom script to the
cmdfield and to provide a secret toenv
#.goreleaser.yml
publishers:
- name: my-publisher
# IDs of the artifacts we want to sign
ids:
- linux_archives
- linux_package
cmd: "./build/package/linux_notarize.sh"
env:
- VERSION={{ .Version }}
- SECRET_1={{.Env.SECRET_1}}
- SECRET_2={{.Env.SECRET_2}}
- run
goreleaser release --debug
You should see your secret value in the gorelease log. The log shows also the GITHUB_TOKEN
Example:
running cmd= ....
SECRET_1=secret_value
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/goreleaser/goreleaser | eq | 1.23.0 |
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%