PT-2020-12520 · Npm · Aegir
Hugomrdias
·
Published
2020-05-27
·
Updated
2021-10-07
·
CVE-2020-11059
CVSS v3.1
9.6
Critical
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
AEgir versions 21.7.0 through 21.10.0
Description
The issue concerns the leakage of secrets from environment variables in the browser bundle published to npm when using
aegir publish and aegir build. This has been fixed in version 21.10.1.Recommendations
For AEgir versions 21.7.0 through 21.10.0, upgrade to version 21.10.1 or later to resolve the issue.
As a temporary workaround, consider running
printenv to check environment variables and revoke any secrets.
Restrict access to sensitive environment variables to minimize the risk of exploitation.Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Aegir