PT-2023-19949 · Algolia+1 · Algolia+1

Jamespohalloran

Published

2023-02-08

Updated

2023-02-18

CVE-2023-25164

CVSS v3.1

8.6

High

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions @tinacms/cli versions 1.0.0 through 1.0.8

Description Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli that store sensitive values in the process.env variable are impacted, as these values will be added in plaintext to the index.js file. If a Tina-enabled website has sensitive credentials stored as environment variables, such as Algolia API keys, users should rotate those keys immediately.

Recommendations For @tinacms/cli versions 1.0.0 through 1.0.8, upgrade to @tinacms/cli@1.0.9 to patch the issue. Rotate sensitive credentials stored as environment variables, such as Algolia API keys, immediately.

Exploit

Fix

Insertion into Log File

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532CWE-200

Related Identifiers

CVE-2023-25164

GHSA-PC2Q-JCXQ-RJRR

Affected Products

@Tinacms/Cli

Algolia

PT-2023-19949 · Algolia+1 · Algolia+1

CVE-2023-25164

Weakness Enumeration

Related Identifiers

Affected Products

References · 8