nvd-json-data-feeds/CVE-2022/CVE-2022-461xx/CVE-2022-46155.json

{
  "id": "CVE-2022-46155",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2022-11-29T23:15:10.473",
  "lastModified": "2024-11-21T07:30:13.207",
  "vulnStatus": "Modified",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Airtable.js is the JavaScript client for Airtable. Prior to version 0.11.6, Airtable.js had a misconfigured build script in its source package. When the build script is run, it would bundle environment variables into the build target of a transpiled bundle. Specifically, the AIRTABLE_API_KEY and AIRTABLE_ENDPOINT_URL environment variables are inserted during Browserify builds due to being referenced in Airtable.js code. This only affects copies of Airtable.js built from its source, not those installed via npm or yarn. Airtable API keys set in users\u2019 environments via the AIRTABLE_API_KEY environment variable may be bundled into local copies of Airtable.js source code if all of the following conditions are met: 1) the user has cloned the Airtable.js source onto their machine, 2) the user runs the `npm prepare` script, and 3) the user' has the AIRTABLE_API_KEY environment variable set. If these conditions are met, a user\u2019s local build of Airtable.js would be modified to include the value of the AIRTABLE_API_KEY environment variable, which could then be accidentally shipped in the bundled code. Users who do not meet all three of these conditions are not impacted by this issue. Users should upgrade to Airtable.js version 0.11.6 or higher; or, as a workaround unset the AIRTABLE_API_KEY environment variable in their shell and/or remove it from your .bashrc, .zshrc, or other shell configuration files. Users should also regenerate any Airtable API keys they use, as the keysy may be present in bundled code."
    },
    {
      "lang": "es",
      "value": "Airtable.js es el cliente JavaScript para Airtable. Antes de la versi\u00f3n 0.11.6, Airtable.js ten\u00eda un script de compilaci\u00f3n mal configurado en su paquete fuente. Cuando se ejecuta el script de compilaci\u00f3n, agrupar\u00e1 variables de entorno en el destino de compilaci\u00f3n de un paquete transpilado. Espec\u00edficamente, las variables de entorno AIRTABLE_API_KEY y AIRTABLE_ENDPOINT_URL se insertan durante las compilaciones de Browserify debido a que se hace referencia a ellas en el c\u00f3digo Airtable.js. Esto solo afecta a las copias de Airtable.js creadas desde su fuente, no a las instaladas mediante npm o Yarn. \u00bfClaves API de Airtable configuradas en los usuarios? Los entornos a trav\u00e9s de la variable de entorno AIRTABLE_API_KEY se pueden incluir en copias locales del c\u00f3digo fuente de Airtable.js si se cumplen todas las condiciones siguientes: \n1) el usuario ha clonado el c\u00f3digo fuente de Airtable.js en su m\u00e1quina, \n2) el usuario ejecuta el script  `npm prepare`, y \n3) el usuario tiene configurada la variable de entorno AIRTABLE_API_KEY. \nSi se cumplen estas condiciones, la compilaci\u00f3n local de Airtable.js de un usuario se modificar\u00eda para incluir el valor de la variable de entorno AIRTABLE_API_KEY, que luego podr\u00eda enviarse accidentalmente en el c\u00f3digo incluido. Los usuarios que no cumplan con estas tres condiciones no se ver\u00e1n afectados por este problema. Los usuarios deben actualizar a Airtable.js versi\u00f3n 0.11.6 o superior; o, como workaround, desactive la variable de entorno AIRTABLE_API_KEY en su shell y/o elim\u00ednela de sus archivos de configuraci\u00f3n .bashrc, .zshrc u otros archivos de configuraci\u00f3n de shell. Los usuarios tambi\u00e9n deben volver a generar cualquier clave API de Airtable que utilicen, ya que la clave puede estar presente en el c\u00f3digo incluido."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
          "baseScore": 7.6,
          "baseSeverity": "HIGH",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "HIGH",
          "userInteraction": "REQUIRED",
          "scope": "CHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 6.0
      },
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "HIGH",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 0.5,
        "impactScore": 5.9
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-522"
        }
      ]
    },
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-312"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:airtable:airtable:*:*:*:*:*:node.js:*:*",
              "versionEndExcluding": "0.11.6",
              "matchCriteriaId": "ACDB1006-0566-4749-B53F-33E6DC6D2A9B"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/Airtable/airtable.js/pull/330/commits/b468d8fe48d75e3d5fe46d0ea7770f4658951ed0",
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://github.com/Airtable/airtable.js/releases/tag/v0.11.6",
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ]
    },
    {
      "url": "https://github.com/Airtable/airtable.js/security/advisories/GHSA-vqm5-9546-x25v",
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ]
    },
    {
      "url": "https://github.com/Airtable/airtable.js/pull/330/commits/b468d8fe48d75e3d5fe46d0ea7770f4658951ed0",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://github.com/Airtable/airtable.js/releases/tag/v0.11.6",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ]
    },
    {
      "url": "https://github.com/Airtable/airtable.js/security/advisories/GHSA-vqm5-9546-x25v",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ]
    }
  ]
}