Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFmY3YtNXdody03cGN3
Exposure of Sensitive Information to an Unauthorized Actor in AEgir
Impact
aegir publish and aegir build may leak secrets from environmental variables in the browser bundle published to npm.
Patches
The code has been patched, users should upgrade to >= 21.10.1
Workarounds
Run printenv to check your environment variables and revoke any secrets.
For more information
If you have any questions or comments about this advisory:
- Open an issue in aegir
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFmY3YtNXdody03cGN3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 4 years ago
Updated: over 1 year ago
CVSS Score: 9.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Percentage: 0.00141
EPSS Percentile: 0.50523
Identifiers: GHSA-qfcv-5whw-7pcw, CVE-2020-11059
References:
- https://github.com/ipfs/aegir/security/advisories/GHSA-qfcv-5whw-7pcw
- https://nvd.nist.gov/vuln/detail/CVE-2020-11059
- https://github.com/ipfs/aegir/commit/e36e1def57b2dc1e4b7a5beba964c5924e87f8d8
- https://github.com/advisories/GHSA-qfcv-5whw-7pcw
Blast Radius: 28.2
Affected Packages
npm:aegir
Dependent packages: 825Dependent repositories: 803
Downloads: 18,814 last month
Affected Version Ranges: >= 21.7.0, < 21.10.1
Fixed in: 21.10.1
All affected versions: 21.7.0, 21.8.0, 21.8.1, 21.9.0, 21.9.1, 21.9.2, 21.10.0
All unaffected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.1.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.2.0, 4.0.0, 5.0.0, 5.0.1, 6.0.0, 6.0.1, 7.0.0, 7.0.1, 8.0.0, 8.0.1, 8.1.0, 8.1.1, 8.1.2, 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.4.0, 10.0.0, 11.0.0, 11.0.1, 11.0.2, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.5, 12.0.6, 12.0.8, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.2.0, 12.3.0, 12.4.0, 13.0.0, 13.0.1, 13.0.5, 13.0.6, 13.0.7, 13.1.0, 14.0.0, 15.0.0, 15.0.1, 15.1.0, 15.2.0, 15.3.0, 15.3.1, 17.0.0, 17.0.1, 17.1.0, 17.1.1, 18.0.0, 18.0.1, 18.0.2, 18.0.3, 18.1.0, 18.1.1, 18.2.0, 18.2.1, 18.2.2, 19.0.0, 19.0.3, 19.0.4, 19.0.5, 20.0.0, 20.1.0, 20.2.0, 20.3.0, 20.3.1, 20.3.2, 20.4.0, 20.4.1, 20.5.0, 20.5.1, 20.6.0, 20.6.1, 21.0.0, 21.0.1, 21.0.2, 21.1.0, 21.2.0, 21.3.0, 21.3.2, 21.3.3, 21.4.0, 21.4.1, 21.4.2, 21.4.3, 21.4.4, 21.4.5, 21.5.0, 21.5.1, 21.6.0, 21.10.1, 21.10.2, 22.0.0, 22.1.0, 23.0.0, 24.0.0, 25.0.0, 25.1.0, 26.0.0, 27.0.0, 28.0.0, 28.0.1, 28.0.2, 28.1.0, 28.2.0, 29.0.0, 29.0.1, 29.1.0, 29.2.0, 29.2.1, 29.2.2, 30.0.1, 30.1.0, 30.2.0, 30.3.0, 31.0.0, 31.0.1, 31.0.3, 31.0.4, 32.0.0, 32.0.1, 32.0.2, 32.1.0, 32.2.0, 33.0.0, 33.1.0, 33.1.1, 33.1.2, 33.2.0, 33.2.1, 33.2.2, 33.2.3, 33.2.4, 34.0.0, 34.0.1, 34.0.2, 34.0.3, 34.1.0, 35.0.0, 35.0.1, 35.0.2, 35.0.3, 35.0.4, 35.1.0, 35.1.1, 35.2.0, 35.2.1, 36.0.0, 36.0.1, 36.0.2, 36.1.0, 36.1.1, 36.1.2, 36.1.3, 36.2.0, 36.2.1, 36.2.2, 36.2.3, 37.0.0, 37.0.1, 37.0.2, 37.0.3, 37.0.4, 37.0.5, 37.0.6, 37.0.7, 37.0.8, 37.0.9, 37.0.10, 37.0.11, 37.0.12, 37.0.13, 37.0.14, 37.0.15, 37.0.16, 37.0.17, 37.1.0, 37.1.1, 37.2.0, 37.2.1, 37.3.0, 37.3.1, 37.4.0, 37.4.1, 37.4.2, 37.4.3, 37.4.4, 37.4.5, 37.4.6, 37.4.7, 37.4.8, 37.5.0, 37.5.1, 37.5.2, 37.5.3, 37.5.4, 37.5.5, 37.5.6, 37.5.7, 37.6.0, 37.6.1, 37.6.2, 37.6.3, 37.6.4, 37.6.5, 37.6.6, 37.6.7, 37.7.0, 37.7.1, 37.7.2, 37.7.3, 37.7.4, 37.7.5, 37.7.6, 37.7.7, 37.7.8, 37.7.9, 37.7.10, 37.7.11, 37.8.0, 37.9.0, 37.9.1, 37.9.2, 37.10.0, 37.10.1, 37.11.0, 37.12.0, 37.12.1, 38.0.0, 38.1.0, 38.1.1, 38.1.2, 38.1.3, 38.1.4, 38.1.5, 38.1.6, 38.1.7, 38.1.8, 39.0.0, 39.0.1, 39.0.2, 39.0.3, 39.0.4, 39.0.5, 39.0.6, 39.0.7, 39.0.8, 39.0.9, 39.0.10, 39.0.11, 39.0.12, 39.0.13, 40.0.0, 40.0.1, 40.0.2, 40.0.3, 40.0.4, 40.0.5, 40.0.6, 40.0.7, 40.0.8, 40.0.9, 40.0.10, 40.0.11, 40.0.12, 40.0.13, 41.0.0, 41.0.1, 41.0.2, 41.0.3, 41.0.4, 41.0.5, 41.0.6, 41.0.7, 41.0.8, 41.0.9, 41.0.10, 41.0.11, 41.0.12, 41.0.13, 41.0.14, 41.0.15, 41.0.16, 41.1.0, 41.1.1, 41.1.2, 41.1.3, 41.1.4, 41.1.5, 41.1.6, 41.1.7, 41.1.8, 41.1.9, 41.1.10, 41.1.11, 41.1.12, 41.1.13, 41.1.14, 41.2.0, 41.3.0, 41.3.1, 41.3.2, 41.3.3, 41.3.4, 41.3.5, 42.0.0, 42.0.1, 42.1.0, 42.1.1, 42.1.2, 42.1.3, 42.2.0, 42.2.1, 42.2.2, 42.2.3, 42.2.4, 42.2.5, 42.2.6, 42.2.7, 42.2.8, 42.2.9, 42.2.10, 42.2.11, 43.0.0, 43.0.1, 43.0.2, 43.0.3, 44.0.0, 44.0.1, 44.0.2, 44.0.3, 44.1.0, 44.1.1, 44.1.2, 44.1.3, 44.1.4, 45.0.0, 45.0.1, 45.0.2, 45.0.3, 45.0.4, 45.0.5