CVE-2024-24757 - Vulnerability Details - OpenCVE

open-irs is an issue response robot that reponds to issues in the installed repository. The `.env` file was accidentally uploaded when working with git actions. This problem is fixed in 1.0.1. Discontinuing all sensitive keys and turning into secrets.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00091.

Key SSVC decision points have not yet been added.

Vendors	Products
Degamisu	Open-irs

Configuration 1 [-]

cpe:2.3:a:degamisu:open-irs:*:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-02-02T15:37:27.364Z

Updated: 2024-08-01T23:28:11.867Z

Reserved: 2024-01-29T20:51:26.010Z

Link: CVE-2024-24757

Vulnrichment

Updated: 2024-08-01T23:28:11.867Z

NVD

Status : Modified

Published: 2024-02-02T16:15:55.970

Modified: 2024-11-21T08:59:38.263

Link: CVE-2024-24757

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24757", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-29T20:51:26.010Z", "datePublished": "2024-02-02T15:37:27.364Z", "dateUpdated": "2024-08-01T23:28:11.867Z"}, "containers": {"cna": {"title": "open-irs .env Exposure", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr"}], "affected": [{"vendor": "Degamisu", "product": "open-irs", "versions": [{"version": "< 1.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-02T15:37:27.364Z"}, "descriptions": [{"lang": "en", "value": "open-irs is an issue response robot that reponds to issues in the installed repository. The `.env` file was accidentally uploaded when working with git actions. This problem is fixed in 1.0.1. Discontinuing all sensitive keys and turning into secrets.\n"}], "source": {"advisory": "GHSA-7r69-3vwh-wcfr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24757", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-05T16:06:25.755747Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:21:26.800Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:11.867Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr", "name": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:11.867Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24757", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-05T16:06:25.755747Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:38.880Z"}}], "cna": {"title": "open-irs .env Exposure", "source": {"advisory": "GHSA-7r69-3vwh-wcfr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Degamisu", "product": "open-irs", "versions": [{"status": "affected", "version": "< 1.0.1"}]}], "references": [{"url": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr", "name": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "open-irs is an issue response robot that reponds to issues in the installed repository. The `.env` file was accidentally uploaded when working with git actions. This problem is fixed in 1.0.1. Discontinuing all sensitive keys and turning into secrets.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-02T15:37:27.364Z"}}}, "cveMetadata": {"cveId": "CVE-2024-24757", "state": "PUBLISHED", "dateUpdated": "2024-08-01T23:28:11.867Z", "dateReserved": "2024-01-29T20:51:26.010Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-02-02T15:37:27.364Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:degamisu:open-irs:*:*:*:*:*:*:*:*", "matchCriteriaId": "43877684-573D-4753-9429-ECE9E10B9EC9", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "open-irs is an issue response robot that reponds to issues in the installed repository. The `.env` file was accidentally uploaded when working with git actions. This problem is fixed in 1.0.1. Discontinuing all sensitive keys and turning into secrets.\n"}, {"lang": "es", "value": "open-irs es un robot de respuesta a problemas que responde a problemas en el repositorio instalado. El archivo `.env` se carg\u00f3 accidentalmente al trabajar con acciones de git. Este problema se solucion\u00f3 en 1.0.1. Descontinuar todas las claves sensibles y convertirlas en secretos."}], "id": "CVE-2024-24757", "lastModified": "2024-11-21T08:59:38.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-02T16:15:55.970", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/Degamisu/open-irs/security/advisories/GHSA-7r69-3vwh-wcfr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}