Lucene search

K
githubGitHub Advisory DatabaseGHSA-PC2Q-JCXQ-RJRR
HistoryFeb 08, 2023 - 6:18 p.m.

Sensitive Information leak via Script File in TinaCMS

2023-02-0818:18:05
CWE-200
GitHub Advisory Database
github.com
23
tinacms
sensitive information
script file
security patch
environment variables

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS

0.002

Percentile

53.0%

Impact

Sensitive Information leaked via script File in TinaCMS. Sites building with @tinacms/cli >= 1.0.0 && < 1.0.9 that store sensitive values in process.env var are impacted. If you’re on a version prior to 1.0.0 this vulnerability does not affect you.

If your Tina-enabled website has sensitive credentials stored as environment variables (eg. Algolia API keys) you should rotate those keys immediately.

Patches

This issue has been patched in @tinacms/[email protected]

Workarounds

Upgrading, and rotating secure & exposed keys is required for the proper fix.

References

https://github.com/tinacms/tinacms/pull/3584

Affected configurations

Vulners
Node
tinacmscliRange1.0.01.0.9
VendorProductVersionCPE
tinacmscli*cpe:2.3:a:tinacms:cli:*:*:*:*:*:*:*:*

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS

0.002

Percentile

53.0%

Related for GHSA-PC2Q-JCXQ-RJRR