Vulnerability Description
In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Semantic-Release Project | Semantic-Release | < 17.2.3 |
Related Weaknesses (CWE)
References
- https://github.com/semantic-release/semantic-release/commit/ca90b34c4a9333438cc4PatchThird Party Advisory
- https://github.com/semantic-release/semantic-release/security/advisories/GHSA-r2Third Party Advisory
- https://github.com/semantic-release/semantic-release/commit/ca90b34c4a9333438cc4PatchThird Party Advisory
- https://github.com/semantic-release/semantic-release/security/advisories/GHSA-r2Third Party Advisory
FAQ
What is CVE-2020-26226?
CVE-2020-26226 is a vulnerability with a CVSS score of 8.1 (HIGH). In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded when...
How severe is CVE-2020-26226?
CVE-2020-26226 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26226?
Check the references section above for vendor advisories and patch information. Affected products include: Semantic-Release Project Semantic-Release.