High severityNVD Advisory· Published Nov 18, 2020· Updated Aug 4, 2024
Secret disclosure in semantic-release
CVE-2020-26226
Description
In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
semantic-releasenpm | < 17.2.3 | 17.2.3 |
Affected products
2- Range: < 6.1.5
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-r2j6-p67h-q639ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-26226ghsaADVISORY
- github.com/semantic-release/semantic-release/commit/ca90b34c4a9333438cc4d69faeb43362bb991e5aghsax_refsource_MISCWEB
- github.com/semantic-release/semantic-release/security/advisories/GHSA-r2j6-p67h-q639ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.