blob: 9bd7c2d3164f054296ab512b5ff604fa88579db8 [file] [log] [blame]
id: GO-2024-2482
modules:
- module: github.com/goreleaser/goreleaser
versions:
- introduced: 1.23.0
fixed: 1.24.0
vulnerable_at: 1.23.0
packages:
- package: github.com/goreleaser/goreleaser/internal/shell
symbols:
- Run
- package: github.com/goreleaser/goreleaser/internal/pipe/sbom
symbols:
- catalogArtifact
derived_symbols:
- Pipe.Run
- package: github.com/goreleaser/goreleaser/internal/exec
symbols:
- executeCommand
derived_symbols:
- Execute
fix_links:
- https://github.com/goreleaser/goreleaser/commit/d5b6a533ca1dc3366983d5d31ee2d2b6232b83c0
summary: Information leak in github.com/goreleaser/goreleaser
description: Secret values can be printed to the --debug log when using a a custom publisher.
cves:
- CVE-2024-23840
ghsas:
- GHSA-h3q2-8whx-c29h
credits:
- '@andreaangiolillo'
- '@caarlos0'
references:
- advisory: https://github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29h
- fix: https://github.com/goreleaser/goreleaser/commit/d5b6a533ca1dc3366983d5d31ee2d2b6232b83c0
review_status: REVIEWED