Sensitive Information Into Log File

2024-01-3106:31:42

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

goreleaser

information exposure

debug logs

sensitive information

information disclosure

environment variables

secrets

tokens

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.4

Confidence

High

EPSS

Percentile

9.0%

JSON

github.com/goreleaser/goreleaser is vulnerable to Information Exposure. The vulnerability is due to a flaw in the handling of debug logs WithField("env", c.Env) which is used to log environment variables., The goreleaser release --debug command includes sensitive information such as secrets or tokens, which results Information Disclosure.