CVE-2023-6460 - OpenCVE

A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Google	Cloud Firestore

Configuration 1 [-]

cpe:2.3:a:google:cloud_firestore:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/googleapis/nodejs-firestore/pull/1742	Issue Tracking Patch

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Google

Published: 2023-12-04T12:26:29.505Z

Updated: 2024-05-24T08:10:07.290Z

Reserved: 2023-12-01T11:10:57.359Z

Link: CVE-2023-6460

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-12-04T13:15:07.800

Modified: 2023-12-08T14:03:08.493

Link: CVE-2023-6460

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6460", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2023-12-01T11:10:57.359Z", "datePublished": "2023-12-04T12:26:29.505Z", "dateUpdated": "2024-05-24T08:10:07.290Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "nodejs-firestore", "repo": "https://github.com/googleapis/nodejs-firestore", "vendor": "Google", "versions": [{"lessThan": "6.1.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Abhishek Mathur"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue"}], "value": "A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue"}], "impacts": [{"capecId": "CAPEC-131", "descriptions": [{"lang": "en", "value": "CAPEC-131 Resource Leak Exposure"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-922", "description": "CWE-922 Insecure Storage of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2024-05-24T08:10:07.290Z"}, "references": [{"url": "https://github.com/googleapis/nodejs-firestore/pull/1742"}], "source": {"discovery": "UNKNOWN"}, "title": "Information leak in nodejs-firestore", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:cloud_firestore:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "78F1EFF8-1061-46D1-A756-72B080F6F17A", "versionEndExcluding": "6.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue"}, {"lang": "es", "value": "Existe un posible registro de la clave de Firestore a trav\u00e9s del registro dentro de nodejs-firestore: los desarrolladores que registraran objetos a trav\u00e9s de this._settings registrar\u00edan la clave de Firestore y potencialmente la expondr\u00edan a cualquier persona con acceso de lectura de registros. Recomendamos actualizar a la versi\u00f3n 6.1.0 para evitar este problema."}], "id": "CVE-2023-6460", "lastModified": "2023-12-08T14:03:08.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.3, "impactScore": 3.6, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2023-12-04T13:15:07.800", "references": [{"source": "cve-coordination@google.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/googleapis/nodejs-firestore/pull/1742"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-922"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}