Skip to content

Exposure of Sensitive Information to an Unauthorized Actor in semantic-release

Moderate severity GitHub Reviewed Published Jun 9, 2022 in semantic-release/semantic-release • Updated Jan 27, 2023

Package

npm semantic-release (npm)

Affected versions

>= 17.0.4, < 19.0.3

Patched versions

19.0.3

Description

Impact

What kind of vulnerability is it? Who is impacted?

Secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by encodeURI. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials.

Patches

Has the problem been patched? What versions should users upgrade to?

Fixed in 19.0.3

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Secrets that do not contain characters that are excluded from encoding with encodeURI when included in a URL are already masked properly.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

References

@travi travi published to semantic-release/semantic-release Jun 9, 2022
Published by the National Vulnerability Database Jun 9, 2022
Published to the GitHub Advisory Database Jun 9, 2022
Reviewed Jun 9, 2022
Last updated Jan 27, 2023

Severity

Moderate
4.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CVE ID

CVE-2022-31051

GHSA ID

GHSA-x2pg-mjhr-2m5x

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.