First published: Wed May 27 2020(Updated: )
### Impact `aegir publish` and `aegir build` may leak secrets from environmental variables in the browser bundle published to npm. ### Patches The code has been patched, users should upgrade to >= 21.10.1 ### Workarounds Run `printenv` to check your environment variables and revoke any secrets. ### For more information If you have any questions or comments about this advisory: * Open an issue in [aegir](https://github.com/ipfs/aegir)
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
npm/aegir | >=21.7.0<21.10.1 | 21.10.1 |
Aegir Project Aegir | >=21.7.0<21.10.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-11059 is a vulnerability in AEgir that allows secrets to be leaked from environmental variables in the browser bundle.
CVE-2020-11059 can expose secrets from environmental variables in the browser bundle published to npm.
The severity of CVE-2020-11059 is critical with a CVSS score of 9.6.
To fix CVE-2020-11059, users should upgrade to version 21.10.1 or higher of AEgir.
As a workaround for CVE-2020-11059, users can run 'printenv' to check environment variables and revoke any secrets.