PT-2023-19949 · Algolia+1 · Algolia+1

Jamespohalloran

Publicado

2023-02-08

Atualizado

2023-02-18

CVE-2023-25164

CVSS v3.1

8.6

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions @tinacms/cli versions 1.0.0 through 1.0.8

Description Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli that store sensitive values in the process.env variable are impacted, as these values will be added in plaintext to the index.js file. If a Tina-enabled website has sensitive credentials stored as environment variables, such as Algolia API keys, users should rotate those keys immediately.

Recommendations For @tinacms/cli versions 1.0.0 through 1.0.8, upgrade to @tinacms/cli@1.0.9 to patch the issue. Rotate sensitive credentials stored as environment variables, such as Algolia API keys, immediately.

Exploit

Correção

Insertion into Log File

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-532CWE-200

Identificadores relacionados

CVE-2023-25164

GHSA-PC2Q-JCXQ-RJRR

Produtos afetados

@Tinacms/Cli

Algolia

PT-2023-19949 · Algolia+1 · Algolia+1

CVE-2023-25164

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8