CVE-2024-23840 - OpenCVE

GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. `goreleaser release --debug` log shows secret values used in the in the custom publisher. This vulnerability is fixed in 1.24.0.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Goreleaser	Goreleaser

Configuration 1 [-]

cpe:2.3:a:goreleaser:goreleaser:1.23.0:*:*:*:*:go:*:*

References

Link	Resource
https://github.com/goreleaser/goreleaser/commit/d5b6a533ca1dc3366983d5d31ee2d2b6232b83c0	Patch
https://github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29h	Exploit Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-30T16:39:09.284Z

Updated: 2024-01-30T16:39:09.284Z

Reserved: 2024-01-22T22:23:54.343Z

Link: CVE-2024-23840

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-01-30T17:15:11.810

Modified: 2024-02-05T20:56:21.880

Link: CVE-2024-23840

JSON object: View

Redhat Information

No data.

CWE

CWE-532

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:goreleaser:goreleaser:1.23.0:*:*:*:*:go:*:*", "matchCriteriaId": "876998FE-22A3-446E-ADF8-0C5BF63A1F96", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. `goreleaser release --debug` log shows secret values used in the in the custom publisher. This vulnerability is fixed in 1.24.0."}, {"lang": "es", "value": "GoReleaser crea archivos binarios de Go para varias plataformas, crea una versi\u00f3n de GitHub y luego env\u00eda una f\u00f3rmula Homebrew a un repositorio tap. El registro `goreleaser release --debug` muestra los valores secretos utilizados en el editor personalizado. Esta vulnerabilidad se solucion\u00f3 en 1.24.0."}], "id": "CVE-2024-23840", "lastModified": "2024-02-05T20:56:21.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-30T17:15:11.810", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/goreleaser/goreleaser/commit/d5b6a533ca1dc3366983d5d31ee2d2b6232b83c0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Primary"}]}