CVE-2020-26226

High

In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally…

GitHub_M·CWE-116·Published 2020-11-18

CVSS

8.1

EPSS

0.01

KEV

Exploits

cve.orgen

368 chars

In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3.

NVDen

368 chars

OSV.deven

332 chars

### Impact Secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded when included in a URL. ### Patches Fixed in v17.2.3 ### Workarounds Secrets that do not contain characters that become encoded when included in a URL are already masked properly.

GHSAen

332 chars

NVDes

431 chars

En el paquete npm semantic-release anterior a versión 17.2.3, los secretos que normalmente estarían enmascarados por "semantic-release" pueden ser revelados accidentalmente si contienen caracteres que se codifican cuando se incluían en una URL. Los secretos que no contienen caracteres que vienen codificados cuando se incluían en una URL ya están enmascarados correctamente. El problema es corregido en la versión 17.2.3

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:P/I:P/A:N
3.1	Primary	cve.org	8.1	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
3.1	Primary	cve.org	8.1	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
3.1	Primary	NVD	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
3.1	Secondary	GHSA	8.1	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
3.1	Secondary	NVD	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N