Veracode Vulnerability DatabaseVERACODE:35926Information Disclosure
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
41.5%
semantic-release is vulnerable to information disclosure. The vulnerability exists when the repository URL contains characters that are excluded from URI encoding by encodeURI, allowing an attacker to get access to sensitive information through the logs due to the lack of credential masking used in index.js
References
developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI
github.com/semantic-release/semantic-release/commit/58a226f29c04ee56bbb02cc661f020d568849cad
github.com/semantic-release/semantic-release/issues/2449
github.com/semantic-release/semantic-release/pull/2459
github.com/semantic-release/semantic-release/releases/tag/v19.0.3
github.com/semantic-release/semantic-release/security/advisories/GHSA-x2pg-mjhr-2m5x
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
41.5%