{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23840", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-22T22:23:54.343Z", "datePublished": "2024-01-30T16:39:09.284Z", "dateUpdated": "2024-08-01T23:13:08.236Z"}, "containers": {"cna": {"title": "`goreleaser release --debug` shows secrets", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29h"}, {"name": "https://github.com/goreleaser/goreleaser/commit/d5b6a533ca1dc3366983d5d31ee2d2b6232b83c0", "tags": ["x_refsource_MISC"], "url": "https://github.com/goreleaser/goreleaser/commit/d5b6a533ca1dc3366983d5d31ee2d2b6232b83c0"}], "affected": [{"vendor": "goreleaser", "product": "goreleaser", "versions": [{"version": "1.23.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-30T16:39:09.284Z"}, "descriptions": [{"lang": "en", "value": "GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. `goreleaser release --debug` log shows secret values used in the in the custom publisher. This vulnerability is fixed in 1.24.0."}], "source": {"advisory": "GHSA-h3q2-8whx-c29h", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:13:08.236Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29h", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29h"}, {"name": "https://github.com/goreleaser/goreleaser/commit/d5b6a533ca1dc3366983d5d31ee2d2b6232b83c0", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/goreleaser/goreleaser/commit/d5b6a533ca1dc3366983d5d31ee2d2b6232b83c0"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:goreleaser:goreleaser:1.23.0:*:*:*:*:go:*:*", "matchCriteriaId": "876998FE-22A3-446E-ADF8-0C5BF63A1F96", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. `goreleaser release --debug` log shows secret values used in the in the custom publisher. This vulnerability is fixed in 1.24.0."}, {"lang": "es", "value": "GoReleaser crea archivos binarios de Go para varias plataformas, crea una versi\u00f3n de GitHub y luego env\u00eda una f\u00f3rmula Homebrew a un repositorio tap. El registro `goreleaser release --debug` muestra los valores secretos utilizados en el editor personalizado. Esta vulnerabilidad se solucion\u00f3 en 1.24.0."}], "id": "CVE-2024-23840", "lastModified": "2024-02-05T20:56:21.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-30T17:15:11.810", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/goreleaser/goreleaser/commit/d5b6a533ca1dc3366983d5d31ee2d2b6232b83c0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "goreleaser: goreleaser release --debug shows secrets", "id": "2262014", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262014"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-532", "details": ["GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. `goreleaser release --debug` log shows secret values used in the in the custom publisher. This vulnerability is fixed in 1.24.0.", "A flaw was found in GoReleaser. This package log shows secret values that are supposed to be hidden when using --debug."], "mitigation": {"lang": "en:us", "value": "No mitigation is yet available for this vulnerability despite having control of the --debug and where the logs are located."}, "name": "CVE-2024-23840", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "openshift-serverless-1/client-kn-rhel8", "product_name": "OpenShift Serverless"}], "public_date": "2024-01-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-23840\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-23840\nhttps://github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29h"], "statement": "Red Hat rates this issue as having a Moderate impact since it requires a malicious user to have direct access to the GoReleaser commands by inserting the --debug flag and consuming the values from the logs. This normally requires an environment that is already compromised.", "threat_severity": "Moderate", "upstream_fix": "goreleaser 1.24.0"}