GHSA-xw22-wv29-3299
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xw22-wv29-3299
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-xw22-wv29-3299/GHSA-xw22-wv29-3299.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xw22-wv29-3299
- Aliases
- Related
- Published
- 2021-04-06T17:29:52Z
- Modified
- 2023-11-08T04:04:45.401902Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
- Summary
- ApiKey secret could be revelated on network issue
- Details
-
Impact
What kind of vulnerability is it? Who is impacted? Applications that are using node-etsy-client and reporting client error to the end user will offer api key value too
Patches
Has the problem been patched? What versions should users upgrade to?
creharmony/node-etsy-client#18 fixes this issue. This is fixed in node-etsy-client v0.3.0 and later.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not report or log etsy client error if you are using version <= v0.2.0
Update your version of node-etsy-client
References
Are there any links users can visit to find out more?
- https://github.com/creharmony/node-etsy-client/issues/17 : On connect error secret appears in error #17
For more information
If you have any questions or comments about this advisory: * Open an issue in github.com/creharmony/node-etsy-client/issues
- Database specific
{ "nvd_published_at": "2021-04-01T22:15:00Z", "github_reviewed_at": "2021-04-02T17:05:21Z", "github_reviewed": true, "cwe_ids": [ "CWE-200", "CWE-209" ], "severity": "HIGH" }- References
Affected packages
npm / node-etsy-client
Package
- Name
- node-etsy-client
- View open source insights on deps.dev
- Purl
- pkg:npm/node-etsy-client