CVE-2024-24757 - Vulnerability Details - OpenCVE

Description

open-irs is an issue response robot that reponds to issues in the installed repository. The `.env` file was accidentally uploaded when working with git actions. This problem is fixed in 1.0.1. Discontinuing all sensitive keys and turning into secrets.

Published: 2024-02-02

Score: 7.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Degamisu

open-irs

affected

Version	Status	Constraints
`< 1.0.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:degamisu:open-irs:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-22149	open-irs is an issue response robot that reponds to issues in the installed repository. The `.env` file was accidentally uploaded when working with git actions. This problem is fixed in 1.0.1. Discontinuing all sensitive keys and turning into secrets.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00089.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr

History

No history.

Subscriptions

Degamisu Open-irs

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-02-02T15:37:27.364Z

Updated: 2024-08-01T23:28:11.867Z

Reserved: 2024-01-29T20:51:26.010Z

Link: CVE-2024-24757

Vulnrichment

Updated: 2024-08-01T23:28:11.867Z

NVD

Status : Modified

Published: 2024-02-02T16:15:55.970

Modified: 2024-11-21T08:59:38.263

Link: CVE-2024-24757

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24757", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-29T20:51:26.010Z", "datePublished": "2024-02-02T15:37:27.364Z", "dateUpdated": "2024-08-01T23:28:11.867Z"}, "containers": {"cna": {"title": "open-irs .env Exposure", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr"}], "affected": [{"vendor": "Degamisu", "product": "open-irs", "versions": [{"version": "< 1.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-02T15:37:27.364Z"}, "descriptions": [{"lang": "en", "value": "open-irs is an issue response robot that reponds to issues in the installed repository. The `.env` file was accidentally uploaded when working with git actions. This problem is fixed in 1.0.1. Discontinuing all sensitive keys and turning into secrets.\n"}], "source": {"advisory": "GHSA-7r69-3vwh-wcfr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24757", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-05T16:06:25.755747Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:21:26.800Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:11.867Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr", "name": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:11.867Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24757", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-05T16:06:25.755747Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:38.880Z"}}], "cna": {"title": "open-irs .env Exposure", "source": {"advisory": "GHSA-7r69-3vwh-wcfr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Degamisu", "product": "open-irs", "versions": [{"status": "affected", "version": "< 1.0.1"}]}], "references": [{"url": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr", "name": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "open-irs is an issue response robot that reponds to issues in the installed repository. The `.env` file was accidentally uploaded when working with git actions. This problem is fixed in 1.0.1. Discontinuing all sensitive keys and turning into secrets.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-02T15:37:27.364Z"}}}, "cveMetadata": {"cveId": "CVE-2024-24757", "state": "PUBLISHED", "dateUpdated": "2024-08-01T23:28:11.867Z", "dateReserved": "2024-01-29T20:51:26.010Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-02-02T15:37:27.364Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:degamisu:open-irs:*:*:*:*:*:*:*:*", "matchCriteriaId": "43877684-573D-4753-9429-ECE9E10B9EC9", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "open-irs is an issue response robot that reponds to issues in the installed repository. The `.env` file was accidentally uploaded when working with git actions. This problem is fixed in 1.0.1. Discontinuing all sensitive keys and turning into secrets.\n"}, {"lang": "es", "value": "open-irs es un robot de respuesta a problemas que responde a problemas en el repositorio instalado. El archivo `.env` se carg\u00f3 accidentalmente al trabajar con acciones de git. Este problema se solucion\u00f3 en 1.0.1. Descontinuar todas las claves sensibles y convertirlas en secretos."}], "id": "CVE-2024-24757", "lastModified": "2024-11-21T08:59:38.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-02T16:15:55.970", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}