Lucene search

GitHub Advisory DatabaseGHSA-PC2Q-JCXQ-RJRR

HistoryFeb 08, 2023 - 6:18 p.m.

Sensitive Information leak via Script File in TinaCMS

2023-02-0818:18:05

CWE-200

GitHub Advisory Database

github.com

tinacms

sensitive information

script file

security patch

environment variables

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS

0.002

Percentile

53.0%

JSON

Impact

Sensitive Information leaked via script File in TinaCMS. Sites building with @tinacms/cli >= 1.0.0 && < 1.0.9 that store sensitive values in process.env var are impacted. If you’re on a version prior to 1.0.0 this vulnerability does not affect you.

If your Tina-enabled website has sensitive credentials stored as environment variables (eg. Algolia API keys) you should rotate those keys immediately.

Patches

This issue has been patched in @tinacms/[email protected]

Workarounds

Upgrading, and rotating secure & exposed keys is required for the proper fix.

References

https://github.com/tinacms/tinacms/pull/3584

Affected configurations

Vulners

Node

tinacmscliRange1.0.0–1.0.9

VendorProductVersionCPE
tinacmscli*cpe:2.3:a:tinacms:cli:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
tinacms	cli	*	cpe:2.3:a:tinacms:cli::::::::

References

github.com/advisories/GHSA-pc2q-jcxq-rjrr

github.com/tinacms/tinacms/pull/3584

github.com/tinacms/tinacms/security/advisories/GHSA-pc2q-jcxq-rjrr

nvd.nist.gov/vuln/detail/CVE-2023-25164

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS

0.002

Percentile

53.0%

JSON

Related for GHSA-PC2Q-JCXQ-RJRR