Sensitive Information leak via Script File in TinaCMS
Description
Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli >= 1.0.0 && < 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you're on a version prior to 1.0.0 this vulnerability does not affect you. If you are affected and your Tina-enabled website has sensitive credentials stored as environment variables (eg. Algolia API keys) you should rotate those keys immediately. This issue has been patched in @tinacms/cli@1.0.9. Users are advised to upgrade. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@tinacms/clinpm | >= 1.0.0, < 1.0.9 | 1.0.9 |
Affected products
2- tinacms/tinacmsv5Range: >= 1.0.0, < 1.0.9
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-pc2q-jcxq-rjrrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-25164ghsaADVISORY
- github.com/tinacms/tinacms/pull/3584ghsax_refsource_MISCWEB
- github.com/tinacms/tinacms/security/advisories/GHSA-pc2q-jcxq-rjrrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.