PT-2020-16355 · Npm · Semantic-Release

Dbjorge

Published

2020-11-18

Updated

2020-12-09

CVE-2020-26226

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions semantic-release versions prior to 17.2.3

Description The issue concerns the accidental disclosure of secrets in the npm package semantic-release. Secrets that contain characters which become encoded when included in a URL can be disclosed, while secrets without such characters are masked properly.

Recommendations For versions prior to 17.2.3, update to version 17.2.3 to resolve the issue. As a temporary workaround, consider avoiding the use of secrets that contain characters which become encoded when included in a URL until the update is applied.

Fix

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-116

Related Identifiers

CVE-2020-26226

GHSA-R2J6-P67H-Q639

Affected Products

Semantic-Release

PT-2020-16355 · Npm · Semantic-Release

CVE-2020-26226

Weakness Enumeration

Related Identifiers

Affected Products

References · 8