CVE-2024-23840

Name of the Vulnerable Software and Affected Versions GoReleaser versions prior to 1.24.0

Description The issue is related to information disclosure through log files. When using a custom publisher with goreleaser release --debug, secret values used in the custom publisher are printed to the log. This could allow an attacker to disclose protected information. The estimated number of potentially affected devices worldwide is not specified.

Recommendations For versions prior to 1.24.0, update to version 1.24.0 to resolve the issue. As a temporary workaround, consider avoiding the use of the --debug flag with goreleaser release to minimize the risk of secret values being printed to the log.