7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
59.4%
What kind of vulnerability is it? Who is impacted?
Secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by encodeURI. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials.
Has the problem been patched? What versions should users upgrade to?
Fixed in 19.0.3
Is there a way for users to fix or remediate the vulnerability without upgrading?
Secrets that do not contain characters that are excluded from encoding with encodeURI
when included in a URL are already masked properly.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
semantic-release | ge | 17.0.4 | |
semantic-release | lt | 19.0.3 |
developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI
github.com/advisories/GHSA-x2pg-mjhr-2m5x
github.com/semantic-release/semantic-release/commit/58a226f29c04ee56bbb02cc661f020d568849cad
github.com/semantic-release/semantic-release/pull/2449
github.com/semantic-release/semantic-release/pull/2459
github.com/semantic-release/semantic-release/releases/tag/v19.0.3
github.com/semantic-release/semantic-release/security/advisories/GHSA-x2pg-mjhr-2m5x
nvd.nist.gov/vuln/detail/CVE-2022-31051
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
59.4%