Medium severity5.9GHSA Advisory· Published Jul 17, 2024· Updated Apr 15, 2026

CVE-2024-6833

Description

A vulnerability in Zowe CLI allows local, privileged actors to store previously entered secure credentials in a plaintext file as part of an auto-init operation.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@zowe/clinpm	>= 7.18.0, < 7.23.5	7.23.5

Affected products

Zowe/Zowe CliGHSA
Range: >= 7.18.0, < 7.23.5

Patches

6778da5e03c6

Merge pull request #2084 from zowe/fix/auto-init-missing-default-base

https://github.com/zowe/zowe-cliFernando Rijo CedenoMar 11, 2024via ghsa

commit

3 files changed · +32 −9

packages/cli/CHANGELOG.md+4 −0 modified

@@ -2,6 +2,10 @@
 
 All notable changes to the Zowe CLI package will be documented in this file.
 
+## Recent Changes
+
+- BugFix: Fixed default base profile missing in config generated by `zowe config auto-init` [#2084](https://github.com/zowe/zowe-cli/pull/2084)
+
 ## `7.23.4`
 
 - BugFix: Updated dependencies of the daemon client for technical currency [#2076](https://github.com/zowe/zowe-cli/pull/2076)

packages/cli/src/config/auto-init/ApimlAutoInitHandler.ts+24 −8 modified

@@ -15,7 +15,7 @@ import * as lodash from "lodash";
 import { ZosmfSession } from "@zowe/zosmf-for-zowe-sdk";
 import { BaseAutoInitHandler, AbstractSession, ICommandArguments, IConfig, IConfigProfile,
     ISession, IHandlerResponseApi, IHandlerParameters, SessConstants, ImperativeConfig,
-    ImperativeError, RestClientError, TextUtils
+    ImperativeError, RestClientError, TextUtils, Config
 } from "@zowe/imperative";
 import { IApimlProfileInfo, IAutoInitRpt, IProfileRpt, Login, Services } from "@zowe/core-for-zowe-sdk";
 
@@ -118,29 +118,32 @@ export default class ApimlAutoInitHandler extends BaseAutoInitHandler {
                 },
                 secure: []
             };
-            profileConfig.defaults[this.mProfileType] = this.mProfileType;
             activeBaseProfile = this.mProfileType;
             baseProfileCreated = true;
         } else {
+            const oldBaseProfile = this.getOldBaseProfileProps(config, activeBaseProfile);
             lodash.set(profileConfig, config.api.profiles.getProfilePathFromName(activeBaseProfile), {
                 type: this.mProfileType,
                 properties: {
-                    ...config.api.profiles.get(activeBaseProfile),
+                    ...oldBaseProfile.properties,
                     host: session.ISession.hostname,
                     port: session.ISession.port,
                     rejectUnauthorized: session.ISession.rejectUnauthorized,
                 },
-                secure: []
+                secure: oldBaseProfile.secure ?? []
             });
         }
 
         if (session.ISession.tokenType != null && session.ISession.tokenValue != null) {
-            const expandedBaseProfilePath = config.api.profiles.getProfilePathFromName(activeBaseProfile);
-            lodash.get(profileConfig, expandedBaseProfilePath).properties.tokenType = session.ISession.tokenType;
-            lodash.get(profileConfig, expandedBaseProfilePath).properties.tokenValue = session.ISession.tokenValue;
-            lodash.get(profileConfig, expandedBaseProfilePath).secure.push("tokenValue");
+            const baseProfileConfig = lodash.get(profileConfig, config.api.profiles.getProfilePathFromName(activeBaseProfile));
+            baseProfileConfig.properties.tokenType = session.ISession.tokenType;
+            baseProfileConfig.properties.tokenValue = session.ISession.tokenValue;
+            if (!baseProfileConfig.secure.includes("tokenValue")) {
+                baseProfileConfig.secure.push("tokenValue");
+            }
         }
 
+        profileConfig.defaults[this.mProfileType] = activeBaseProfile;
         this.recordProfilesFound(profileInfos);
 
         // Report whether or not we created a base profile in this auto-init execution
@@ -515,4 +518,17 @@ export default class ApimlAutoInitHandler extends BaseAutoInitHandler {
             }
         }
     }
+
+    private getOldBaseProfileProps(config: Config, baseProfileName: string): IConfigProfile {
+        const propsToRemove = ["user", "password", "certFile", "certKeyFile"];
+        const properties = config.api.profiles.get(baseProfileName);
+        for (const propName of propsToRemove) {
+            properties[propName] = undefined;
+        }
+        const secureProps = config.api.secure.securePropsForProfile(baseProfileName);
+        return {
+            properties,
+            secure: secureProps.filter((propName) => !propsToRemove.includes(propName))
+        };
+    }
 }

packages/cli/__tests__/config/auto-init/__unit__/ApimlAutoInitHandler.unit.test.ts+4 −1 modified

@@ -29,7 +29,10 @@ function mockConfigApi(properties: IConfig | undefined): any {
             },
             profiles: {
                 getProfilePathFromName: (name: string) => `profiles.${name}`,
-                get: jest.fn()
+                get: jest.fn().mockReturnValue({})
+            },
+            secure: {
+                securePropsForProfile: jest.fn().mockReturnValue([])
             }
         },
         exists: true,

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-ghgq-x6wc-6jr5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-6833ghsaADVISORY
github.com/zowe/zowe-cli/commit/6778da5e03c65dfcd3e6e4b4097b94d9fbd5d01bghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000