CVE-2020-11059 — Exposure of Sensitive Information to an Unauthorized Actor in AEgir

Description

### Impact `aegir publish` and `aegir build` may leak secrets from environmental variables in the browser bundle published to npm. ### Patches The code has been patched, users should upgrade to >= 21.10.1 ### Workarounds Run `printenv` to check your environment variables and revoke any secrets. ### For more information If you have any questions or comments about this advisory: * Open an issue in [aegir](https://github.com/ipfs/aegir)

How to fix CVE-2020-11059

To remediate CVE-2020-11059, upgrade the affected package to a fixed version below.

—upgrade to 21.10.1 or later

Is CVE-2020-11059 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 21.7.0, < 21.10.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-11059
PATCHgithub.com/ipfs/aegir
WEBgithub.com/ipfs/aegir/commit/e36e1def57b2dc1e4b7a5beba964c5924e87f8d8
WEBgithub.com/ipfs/aegir/security/advisories/GHSA-qfcv-5whw-7pcw