CVE-2024-23840

Insertion of Sensitive Information into Log File in go/github.com/goreleaser/goreleaser

Identifiers

GHSA-h3q2-8whx-c29h, CVE-2024-23840

Package Slug

go/github.com/goreleaser/goreleaser

Vulnerability

Insertion of Sensitive Information into Log File

Description

GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. goreleaser release --debug log shows secret values used in the in the custom publisher. This vulnerability is fixed in 1.24.0.

Affected Versions

Version 1.23.0

Solution

Upgrade to version 1.24.0 or above.

Last Modified

2024-01-31

source