Описание
GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. goreleaser release --debug log shows secret values used in the in the custom publisher. This vulnerability is fixed in 1.24.0.
A flaw was found in GoReleaser. This package log shows secret values that are supposed to be hidden when using --debug.
Отчет
Red Hat rates this issue as having a Moderate impact since it requires a malicious user to have direct access to the GoReleaser commands by inserting the --debug flag and consuming the values from the logs. This normally requires an environment that is already compromised.
Меры по смягчению последствий
No mitigation is yet available for this vulnerability despite having control of the --debug and where the logs are located.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Serverless | openshift-serverless-1/client-kn-rhel8 | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
5.5 Medium
CVSS3
Связанные уязвимости
GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. `goreleaser release --debug` log shows secret values used in the in the custom publisher. This vulnerability is fixed in 1.24.0.
Уязвимость инструмента для сборки двоичных файлов Go GoReleaser, связанная с раскрытием информации через регистрационные файлы, позволяющая нарушителю раскрыть защищаемую информацию
EPSS
5.5 Medium
CVSS3