Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
hermes's raw options logging may disclose secrets passed in via subcommand options argument
Vulnerability Description
hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
Vulnerability Type
通过日志文件的信息暴露
Vulnerability Title
hermes 日志信息泄露漏洞
Vulnerability Description
Hermes是Automated Software Metadata Publication开源的一个工作流平台。 hermes 0.8.1版本至0.9.1之前版本存在日志信息泄露漏洞,该漏洞源于hermes子命令在-O参数下记录原始形式的任意选项,可能导致敏感数据以明文形式写入日志文件。
CVSS Information
N/A
Vulnerability Type
N/A