Description
Affected versions of aegir bundle and publish the current users github token to npm when aegir-release is executed.
Recommendation
Update the aegir package to the latest compatible version. Followings are version details:
- Affected version(s): >= 12.0.0, <= 12.0.7
- Patched version(s): 12.0.8
References
Related Issues
- Strapi may leak sensitive user information, user reset password, tokens via content-manager views (GHSA-v8gg-4mq2-88q4) - CVE-2023-36472
- fetch(url) leads to a memory leak in undici - CVE-2024-24750
- Undici vulnerable to data leak when using response.arrayBuffer() - CVE-2024-38372
- Malicious Matrix homeserver can leak truncated message content of messages it shouldn't have access to - CVE-2024-39691
- Tags:
- npm
- aegir
Anything's wrong? Let us know Last updated on January 09, 2023