6.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-f6mm-5fc7-3g3c

GHSA-f6mm-5fc7-3g3c: goreleaser shows environment by default

Summary

Since #4787 the log output is printed on the INFO level, while previously it was logged on DEBUG. This means if the go build output is non-empty, goreleaser leaks the environment.

PoC

Create a Go project with dependencies, do not pull them yet (or run goreleaser later in a container, or delete $GOPATH/pkg).
Make sure to have secrets set in the environment
Make sure to not have go mod tidy in a before hook
Run goreleaser release --clean
Go prints lots of go: downloading ... lines, which triggers the "if output not empty, log it" line, which includes the environment.

Impact

Credentials and tokens are leaked.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-f6mm-5fc7-3g3c

GHSA-f6mm-5fc7-3g3c:

6.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/goreleaser/goreleaser	go	= 1.26.0	1.26.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the 'run' function in build.go where environment variables were added to the logger context. The commit diff shows removal of 'log.WithField("env", env)' and adjustment of the logging call to exclude environment data. This directly correlates with the described vulnerability where environment variables (potentially containing secrets) were logged at INFO level when build output was non-empty.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.2

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-f6mm-5fc7-3g3c: goreleaser shows environment by default

Summary

PoC

Impact

GHSA-f6mm-5fc7-3g3c:

6.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-f6mm-5fc7-3g3c: goreleaser shows environment by default

Summary

PoC

Impact

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.2

6.2

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI