Sensitive Information leak via Script File in TinaCMS
Description
Published to the GitHub Advisory Database
Feb 8, 2023
Reviewed
Feb 8, 2023
Published by the National Vulnerability Database
Feb 8, 2023
Last updated
Feb 8, 2023
Impact
Sensitive Information leaked via script File in TinaCMS. Sites building with @tinacms/cli >= 1.0.0 && < 1.0.9 that store sensitive values in process.env var are impacted. If you're on a version prior to 1.0.0 this vulnerability does not affect you.
If your Tina-enabled website has sensitive credentials stored as environment variables (eg. Algolia API keys) you should rotate those keys immediately.
Patches
This issue has been patched in @tinacms/cli@1.0.9
Workarounds
Upgrading, and rotating secure & exposed keys is required for the proper fix.
References
tinacms/tinacms#3584
References