Description
In AEgir greater than or equal to 21.7.0 and less than 21.10.1, aegir publish and aegir build may leak secrets from environment variables in the browser bundle published to npm. This has been fixed in 21.10.1.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_confirm
https://github.com/ipfs/aegir/security/advisories/GHSA-qfcv-5whw-7pcw
Scores
CVSS v3
9.6
EPSS
0.0112
EPSS Percentile
62.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Details
CWE
CWE-200
Status
published
Products (2)
aegir_project/aegir
21.7.0 - 21.10.1
npm/aegir
21.7.0 - 21.10.1npm
Published
May 27, 2020
Tracked Since
Feb 18, 2026