CVE-2024-23840

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-23840

Severity

5.5

Medium

CVSS V3

Eliminate CVEs with Chainguard hardened images

Build, ship, and run secure software with minimal, hardened container images — rebuilt from source daily and guarded under our industry-leading remediation SLA.

Start for free

Summary

goreleaser release --debug shows secrets

Description

GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. goreleaser release --debug log shows secret values used in the in the custom publisher. This vulnerability is fixed in 1.24.0.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-23840
https://github.com/advisories/GHSA-h3q2-8whx-c29h
https://pkg.go.dev/vuln/GO-2024-2482
https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/23xxx/CVE-2024-23840.json
https://github.com/goreleaser/goreleaser/commit/d5b6a533ca1dc3366983d5d31ee2d2b6232b83c0
https://github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29h

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2024-23840

Severity

Summary

Description

References

Affected packages

The trusted source for open source

Product

Solutions

Customers

Resources

Company