Skip to content

Sensitive Information leak via Script File in TinaCMS

High
jamespohalloran published GHSA-pc2q-jcxq-rjrr Feb 8, 2023

Package

npm @tinacms/cli (npm)

Affected versions

>= 1.0.0, < 1.0.9

Patched versions

1.0.9

Description

Impact

Sensitive Information leaked via script File in TinaCMS. Sites building with @tinacms/cli >= 1.0.0 && < 1.0.9 that store sensitive values in process.env var are impacted. If you're on a version prior to 1.0.0 this vulnerability does not affect you.

If your Tina-enabled website has sensitive credentials stored as environment variables (eg. Algolia API keys) you should rotate those keys immediately.

Patches

This issue has been patched in @tinacms/cli@1.0.9

Workarounds

Upgrading, and rotating secure & exposed keys is required for the proper fix.

References

#3584

Severity

High
8.6
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVE ID

CVE-2023-25164

Weaknesses