CVE-2024-23840: Insertion of Sensitive Information into Log File

January 30, 2024

GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. goreleaser release --debug log shows secret values used in the in the custom publisher. This vulnerability is fixed in 1.24.0.

References

github.com/advisories/GHSA-h3q2-8whx-c29h
github.com/goreleaser/goreleaser/commit/d5b6a533ca1dc3366983d5d31ee2d2b6232b83c0
github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29h
nvd.nist.gov/vuln/detail/CVE-2024-23840

Code Behaviors & Features

Detect and mitigate CVE-2024-23840 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →