Description
Versions of seneca prior to 3.9.0 are vulnerable to Sensitive Data Exposure. When a process using the package crashes all environment variables are printed. This may leak sensitive data such as access keys, especially given scenarios when log-monitoring systems store the error output.
Recommendation
Update the seneca package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.9.0
- Patched version(s): 3.9.0
References
- GHSA-2xwv-3cc9-fp7c
- hackerone.com
- www.npmjs.com
- CVE-2019-5483
- CWE-209
- CAPEC-310
- OWASP 2021-A4
- OWASP 2021-A6
Related Issues
- Cross-site Scripting in jquery-ui - CVE-2010-5312
- nuxt Code Injection vulnerability - CVE-2023-3224
- QooxDoo XSS in Callback Parameter - CVE-2011-1714
- Denial of Service in ipfs-bitswap - Vulnerability
- Tags:
- npm
- seneca
Anything's wrong? Let us know Last updated on January 09, 2023