Insufficiently Protected Credentials Affecting airtable package, versions <0.11.6
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-AIRTABLE-3150819
- published 30 Nov 2022
- disclosed 30 Nov 2022
- credit Unknown
Introduced: 30 Nov 2022
CVE-2022-46155 Open this link in a new tabHow to fix?
Upgrade airtable to version 0.11.6 or higher.
Overview
airtable is a javascript client for Airtable.
Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to the usage of misconfigured build script in its source package, which bundles environment variables (AIRTABLE_API_KEY and AIRTABLE_ENDPOINT_URL) into the build target of a transpiled bundle.
NOTE: This vulnerability is relevant only if all of the following conditions are met:
the user has cloned the
Airtable.jssource onto their machine.the user runs the npm prepare script
the user has the
AIRTABLE_API_KEYenvironment variable set.
Workaround
- Unset the
AIRTABLE_API_KEYenvironment variable in your shell and/or remove it from your.bashrc,.zshrc, or other shell configuration files.
Recommendations
Regenerate any Airtable API keys you use via https://airtable.com/account, as they may be present in bundled code.