PT-2022-20451 · Cveproject · Cve-Services

Slubar

Published

2022-05-25

Updated

2022-06-10

CVE-2022-31004

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions CVEProject/cve-services versions prior to 1.1.1 CVEProject/cve-services versions 2.x

Description The issue concerns a conditional in 'data.js' that may write production secrets to disk. Specifically, the method writes a generated randomKey to disk if the environment is not development. This could potentially expose the plaintext key if the method is called in production.

Recommendations For version 1.1.1, a "hot fix" patch is anticipated, and users should apply this patch once available. For the 2.x branch, a "hot fix" patch is anticipated, and users should apply this patch once available. As a temporary workaround, consider restricting the execution of the affected method in production environments to minimize the risk of secrets being written to disk.

Exploit

Fix

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-779CWE-312

Related Identifiers

CVE-2022-31004

GHSA-MPWM-RMQP-7629

Affected Products

Cve-Services

PT-2022-20451 · Cveproject · Cve-Services

CVE-2022-31004

Weakness Enumeration

Related Identifiers

Affected Products

References · 5