GHSA-f6mm-5fc7-3g3c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f6mm-5fc7-3g3c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-f6mm-5fc7-3g3c/GHSA-f6mm-5fc7-3g3c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f6mm-5fc7-3g3c
- Aliases
- Related
- Published
- 2024-05-15T17:17:10Z
- Modified
- 2024-06-04T16:56:54.458357Z
- Severity
-
- 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- goreleaser shows environment by default
- Details
-
Summary
Since #4787 the log output is printed on the INFO level, while previously it was logged on DEBUG. This means if the
go buildoutput is non-empty, goreleaser leaks the environment.PoC
- Create a Go project with dependencies, do not pull them yet (or run goreleaser later in a container, or delete
$GOPATH/pkg). - Make sure to have secrets set in the environment
- Make sure to not have
go mod tidyin a before hook - Run
goreleaser release --clean - Go prints lots of
go: downloading ...lines, which triggers the "if output not empty, log it" line, which includes the environment.
Impact
Credentials and tokens are leaked.
- Create a Go project with dependencies, do not pull them yet (or run goreleaser later in a container, or delete
- References
Affected packages
Go / github.com/goreleaser/goreleaser
Package
- Name
- github.com/goreleaser/goreleaser
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/goreleaser/goreleaser