CVE-2024-23840 — Vulnetix

CVE-2024-23840 PUBLISHED CVSS 5.5 MEDIUM

GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. `goreleaser release --debug` log shows secret values used in the in the custom publisher. This vulnerability is fixed in 1.24.0.

EPSS 0.06% · 19.8th percentile

Risk Scores

CVSS v3.1

5.5

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score

0.06%

19.8th percentile

Affected Products

Vendor	Product	Versions
github.com	goreleaser/goreleaser	1.23.0, 1.23.0
goreleaser	goreleaser	1.23.0, 1.23.0

Timeline

Jan 21, 1970 Security Advisory
Jan 30, 2024 CVE Published
Feb 8, 2024 EPSS Score
Mar 6, 2024 EPSS Score
Apr 2, 2024 EPSS Score
Apr 30, 2024 EPSS Score
May 27, 2024 EPSS Score
Jun 23, 2024 EPSS Score
Jul 20, 2024 EPSS Score
Aug 17, 2024 EPSS Score
Sep 13, 2024 EPSS Score
Oct 4, 2024 Coalition ESS Score

References

https://github.com/goreleaser/goreleaser/security/advisories/GHSA-h3q2-8whx-c29h url
https://github.com/goreleaser/goreleaser/commit/d5b6a533ca1dc3366983d5d31ee2d2b6232b83c0 url
https://nvd.nist.gov/vuln/detail/CVE-2024-23840 advisory
https://github.com/goreleaser/goreleaser package

Open in Interactive Console →