CVE-2024-52582

Published: Nov 19, 2024

Modified: Nov 19, 2024

PUBLISHED

CVSS v3.1

4.7

MEDIUM

Description

Cachi2 is a command-line interface tool that pre-fetches a project's dependencies to aid in making the project's build process network-isolated. Prior to version 0.14.0, secrets may be shown in logs when an unhandled exception is triggered because the tool is logging locals of each function. This may uncover secrets if tool used in CI/build pipelines as it's the main use case. Version 0.14.0 contains a patch for the issue. No known workarounds are available.

Vendor	Product	Versions
containerbuildsystem	cachi2	affected `< 0.14.0`

Weaknesses (CWE)

CWE-497

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/containerbuildsystem/cachi2/security/advisories/GHSA-w9qc-9m5h-qqmh

x_refsource_CONFIRM

https://github.com/containerbuildsystem/cachi2/commit/d6638e5e14474061a1ab1ba5d0ee72f58b9a11a9

x_refsource_MISC

https://typer.tiangolo.com/tutorial/exceptions/?h=#disable-local-variables-for-security

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-52582

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References