Количество 2
Количество 2
CVE-2026-22798
hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1.
GHSA-jm5j-jfrm-hm23
hermes's raw options logging may disclose secrets passed in via subcommand options argument
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
 | CVE-2026-22798 hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1. | CVSS3: 5.9 | 0% Низкий | 27 дней назад |
| GHSA-jm5j-jfrm-hm23 hermes's raw options logging may disclose secrets passed in via subcommand options argument | CVSS3: 5.9 | 0% Низкий | 26 дней назад |
Уязвимостей на страницу