Moderate severityNVD Advisory· Published Jan 30, 2024· Updated May 29, 2025
`goreleaser release --debug` shows secrets
CVE-2024-23840
Description
GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. goreleaser release --debug log shows secret values used in the in the custom publisher. This vulnerability is fixed in 1.24.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/goreleaser/goreleaserGo | >= 1.23.0, < 1.24.0 | 1.24.0 |
Affected products
4- osv-coords3 versions
< 1.24.0-r0+ 2 more
- (no CPE)range: < 1.24.0-r0
- (no CPE)range: < 1.24.0-r0
- (no CPE)range: >= 1.23.0, < 1.24.0
- Range: 1.23.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-h3q2-8whx-c29hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-23840ghsaADVISORY
- github.com/goreleaser/goreleaser/commit/d5b6a533ca1dc3366983d5d31ee2d2b6232b83c0ghsax_refsource_MISCWEB
- github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29hghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.