Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFmY3YtNXdody03cGN3

Exposure of Sensitive Information to an Unauthorized Actor in AEgir

Impact

aegir publish and aegir build may leak secrets from environmental variables in the browser bundle published to npm.

Patches

The code has been patched, users should upgrade to >= 21.10.1

Workarounds

Run printenv to check your environment variables and revoke any secrets.

For more information

If you have any questions or comments about this advisory:

Open an issue in aegir

Permalink: https://github.com/advisories/GHSA-qfcv-5whw-7pcw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFmY3YtNXdody03cGN3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 4 years ago
Updated: 7 months ago

CVSS Score: 9.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Identifiers: GHSA-qfcv-5whw-7pcw, CVE-2020-11059
References:

Repository: https://github.com/ipfs/aegir
Blast Radius: 28.2

Affected Packages

npm:aegir

Dependent packages: 763
Dependent repositories: 803
Downloads: 15,712 last month
Affected Version Ranges: >= 21.7.0, < 21.10.1
Fixed in: 21.10.1
All affected versions: 21.7.0, 21.8.0, 21.8.1, 21.9.0, 21.9.1, 21.9.2, 21.10.0
All unaffected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.1.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.2.0, 4.0.0, 5.0.0, 5.0.1, 6.0.0, 6.0.1, 7.0.0, 7.0.1, 8.0.0, 8.0.1, 8.1.0, 8.1.1, 8.1.2, 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.4.0, 10.0.0, 11.0.0, 11.0.1, 11.0.2, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.5, 12.0.6, 12.0.8, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.2.0, 12.3.0, 12.4.0, 13.0.0, 13.0.1, 13.0.5, 13.0.6, 13.0.7, 13.1.0, 14.0.0, 15.0.0, 15.0.1, 15.1.0, 15.2.0, 15.3.0, 15.3.1, 17.0.0, 17.0.1, 17.1.0, 17.1.1, 18.0.0, 18.0.1, 18.0.2, 18.0.3, 18.1.0, 18.1.1, 18.2.0, 18.2.1, 18.2.2, 19.0.0, 19.0.3, 19.0.4, 19.0.5, 20.0.0, 20.1.0, 20.2.0, 20.3.0, 20.3.1, 20.3.2, 20.4.0, 20.4.1, 20.5.0, 20.5.1, 20.6.0, 20.6.1, 21.0.0, 21.0.1, 21.0.2, 21.1.0, 21.2.0, 21.3.0, 21.3.2, 21.3.3, 21.4.0, 21.4.1, 21.4.2, 21.4.3, 21.4.4, 21.4.5, 21.5.0, 21.5.1, 21.6.0, 21.10.1, 21.10.2, 22.0.0, 22.1.0, 23.0.0, 24.0.0, 25.0.0, 25.1.0, 26.0.0, 27.0.0, 28.0.0, 28.0.1, 28.0.2, 28.1.0, 28.2.0, 29.0.0, 29.0.1, 29.1.0, 29.2.0, 29.2.1, 29.2.2, 30.0.1, 30.1.0, 30.2.0, 30.3.0, 31.0.0, 31.0.1, 31.0.3, 31.0.4, 32.0.0, 32.0.1, 32.0.2, 32.1.0, 32.2.0, 33.0.0, 33.1.0, 33.1.1, 33.1.2, 33.2.0, 33.2.1, 33.2.2, 33.2.3, 33.2.4, 34.0.0, 34.0.1, 34.0.2, 34.0.3, 34.1.0, 35.0.0, 35.0.1, 35.0.2, 35.0.3, 35.0.4, 35.1.0, 35.1.1, 35.2.0, 35.2.1, 36.0.0, 36.0.1, 36.0.2, 36.1.0, 36.1.1, 36.1.2, 36.1.3, 36.2.0, 36.2.1, 36.2.2, 36.2.3, 37.0.0, 37.0.1, 37.0.2, 37.0.3, 37.0.4, 37.0.5, 37.0.6, 37.0.7, 37.0.8, 37.0.9, 37.0.10, 37.0.11, 37.0.12, 37.0.13, 37.0.14, 37.0.15, 37.0.16, 37.0.17, 37.1.0, 37.1.1, 37.2.0, 37.2.1, 37.3.0, 37.3.1, 37.4.0, 37.4.1, 37.4.2, 37.4.3, 37.4.4, 37.4.5, 37.4.6, 37.4.7, 37.4.8, 37.5.0, 37.5.1, 37.5.2, 37.5.3, 37.5.4, 37.5.5, 37.5.6, 37.5.7, 37.6.0, 37.6.1, 37.6.2, 37.6.3, 37.6.4, 37.6.5, 37.6.6, 37.6.7, 37.7.0, 37.7.1, 37.7.2, 37.7.3, 37.7.4, 37.7.5, 37.7.6, 37.7.7, 37.7.8, 37.7.9, 37.7.10, 37.7.11, 37.8.0, 37.9.0, 37.9.1, 37.9.2, 37.10.0, 37.10.1, 37.11.0, 37.12.0, 37.12.1, 38.0.0, 38.1.0, 38.1.1, 38.1.2, 38.1.3, 38.1.4, 38.1.5, 38.1.6, 38.1.7, 38.1.8, 39.0.0, 39.0.1, 39.0.2, 39.0.3, 39.0.4, 39.0.5, 39.0.6, 39.0.7, 39.0.8, 39.0.9, 39.0.10, 39.0.11, 39.0.12, 39.0.13, 40.0.0, 40.0.1, 40.0.2, 40.0.3, 40.0.4, 40.0.5, 40.0.6, 40.0.7, 40.0.8, 40.0.9, 40.0.10, 40.0.11, 40.0.12, 40.0.13, 41.0.0, 41.0.1, 41.0.2, 41.0.3, 41.0.4, 41.0.5, 41.0.6, 41.0.7, 41.0.8, 41.0.9, 41.0.10, 41.0.11, 41.0.12, 41.0.13, 41.0.14, 41.0.15, 41.0.16, 41.1.0, 41.1.1, 41.1.2, 41.1.3, 41.1.4, 41.1.5, 41.1.6, 41.1.7, 41.1.8, 41.1.9, 41.1.10, 41.1.11, 41.1.12, 41.1.13, 41.1.14, 41.2.0, 41.3.0, 41.3.1, 41.3.2, 41.3.3, 41.3.4, 41.3.5, 42.0.0, 42.0.1, 42.1.0, 42.1.1, 42.1.2, 42.1.3, 42.2.0, 42.2.1, 42.2.2, 42.2.3, 42.2.4, 42.2.5, 42.2.6, 42.2.7