Lucene search

Redhat.comRH:CVE-2024-23840

HistoryJan 30, 2024 - 10:53 p.m.

CVE-2024-23840

2024-01-3022:53:27

redhat.com

access.redhat.com

goreleaser

vulnerability

secret values

logs

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

A flaw was found in GoReleaser. This package log shows secret values that are supposed to be hidden when using --debug.

Mitigation

No mitigation is yet available for this vulnerability despite having control of the --debug and where the logs are located.

References

bugzilla.redhat.com/show_bug.cgi?id=2262014

github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29h

nvd.nist.gov/vuln/detail/CVE-2024-23840

www.cve.org/CVERecord?id=CVE-2024-23840

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for RH:CVE-2024-23840