Auto-merge PR#3899

2025-08-04 08:44:25 +00:00 · 2020-05-27 16:55:16 -04:00 · 2020-05-27 16:55:16 -04:00 · b0168198eb
commit b0168198eb
parent 11e36c3e97 5e25d569be
1 changed files with 71 additions and 6 deletions
--- a/2020/11xxx/CVE-2020-11059.json
+++ b/2020/11xxx/CVE-2020-11059.json
@ -1,18 +1,83 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-11059",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in AEgir"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "AEgir",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": ">= 21.7.0, < 21.10.1"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "IPFS"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "In AEgir greater than or equal to 21.7.0 and less than 21.10.1, aegir publish and aegir build may leak secrets from environment variables in the browser bundle published to npm.\n\nThis has been fixed in 21.10.1."
            }
        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "LOW",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "HIGH",
+            "baseScore": 9.6,
+            "baseSeverity": "CRITICAL",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "HIGH",
+            "privilegesRequired": "NONE",
+            "scope": "CHANGED",
+            "userInteraction": "REQUIRED",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/ipfs/aegir/security/advisories/GHSA-qfcv-5whw-7pcw",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/ipfs/aegir/security/advisories/GHSA-qfcv-5whw-7pcw"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-qfcv-5whw-7pcw",
+        "discovery": "UNKNOWN"
    }
 }