4.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31051

GHSA ID

GHSA-x2pg-mjhr-2m5x

EPSS Score

0.62884%

CWE

CWE-200

Published

6/9/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31051

CVE-2022-31051: Exposure of Sensitive Information to an Unauthorized Actor in semantic-release

Impact

What kind of vulnerability is it? Who is impacted?

Secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by encodeURI. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials.

Patches

Has the problem been patched? What versions should users upgrade to?

Fixed in 19.0.3

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Secrets that do not contain characters that are excluded from encoding with encodeURI when included in a URL are already masked properly.

References

Are there any links users can visit to find out more?

https://github.com/semantic-release/semantic-release/releases/tag/v19.0.3
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI

For more information

If you have any questions or comments about this advisory:

Open a discussion in semantic-release discussions

(GitHub Advisory)

4.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31051

GHSA ID

GHSA-x2pg-mjhr-2m5x

EPSS Score

0.62884%

CWE

CWE-200

Published

6/9/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
semantic-release	npm	>= 17.0.4, < 19.0.3	19.0.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from logging a modified repository URL containing credentials. The commit 58a226f shows the fix replaced options.repositoryUrl with options.originalRepositoryURL in the log message. The original implementation used a URL that might have been altered to include credentials (which encodeURI doesn't fully sanitize), while the patched version uses the unmodified URL. This indicates the logging function using options.repositoryUrl was the exposure point for improperly masked secrets.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t _W**t kin* o* vuln*r**ility is it? W*o is imp**t**?_ S**r*ts t**t woul* norm*lly ** m*sk** *y s*m*nti*-r*l**s* **n ** ***i**nt*lly *is*los** i* t**y *ont*in ***r**t*rs t**t *r* *x*lu*** *rom uri *n*o*in* *y [*n*o**URI](*ttps://**v*lop*r.m

Reasoning

T** vuln*r**ility st*mm** *rom lo**in* * mo*i*i** r*pository URL *ont*inin* *r***nti*ls. T** *ommit ******* s*ows t** *ix r*pl**** `options.r*positoryUrl` wit* `options.ori*in*lR*positoryURL` in t** lo* m*ss***. T** ori*in*l impl*m*nt*tion us** * URL

4.4

Basic Information

Concerned about an active attack path?

CVE-2022-31051: Exposure of Sensitive Information to an Unauthorized Actor in semantic-release

Impact

Patches

Workarounds

References

For more information

4.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI