Lucene search

Veracode Vulnerability DatabaseVERACODE:44577

HistoryDec 05, 2023 - 10:19 a.m.

Sensitive Information Disclosure

2023-12-0510:19:16

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

google cloud

firestore

sensitive information disclosure

writebatch

transaction

software

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

@google-cloud/firestore is vulnerable to Sensitive Information Disclosure. The vulnerability is caused by logging the this._settings object when logging firestore objects like WriteBatch and Transaction etc. This leads to the leakage of the firestore key resulting in sensitive information disclosure.

CPENameOperatorVersion
@google-cloud/firestorele6.0.0
@google-cloud/firestorele6.0.0

CPE	Name	Operator	Version
	@google-cloud/firestore	le	6.0.0
	@google-cloud/firestore	le	6.0.0

References

github.com/googleapis/nodejs-firestore/commit/fa0ad66bc7e4a0c46f1ae5ca10b2a6f3a528ab6f

github.com/googleapis/nodejs-firestore/pull/1742

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for VERACODE:44577