Homepage
About Snyk

Information Exposure Affecting @tinacms/cli package, versions >=1.0.0 <1.0.9

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.16% (53rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-TINACMSCLI-3317170
  • published 9 Feb 2023
  • disclosed 9 Feb 2023
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 9 Feb 2023

CVE-2023-25164 Open this link in a new tab
CWE-200 Open this link in a new tab

How to fix?

Upgrade @tinacms/cli to version 1.0.9 or higher.

Overview

@tinacms/cli is a The Tina Cloud CLI can be used to set up your project with Tina Cloud configuration, and run a local version of the Tina Cloud content-api (using your file system's content). For a real-world example of how this is being used checkout the [Tina Cloud St

Affected versions of this package are vulnerable to Information Exposure when storing sensitive values in the process.env variable. These values will be added in plaintext to the index.js file.

Impact

Users who are affected (eg. Algolia API keys) should rotate the keys immediately.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
8.6 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

NVD

7.5 high