CVE-2025-24355

Published Jan 24, 2025

Last updated 2 months ago

CVSS high 7.1

Overview

Description
Updatecli is a tool used to apply file update strategies. Prior to version 0.93.0, private maven repository credentials may be leaked in application logs in case of unsuccessful retrieval operation. During the execution of an updatecli pipeline which contains a `maven` source configured with basic auth credentials, the credentials are being leaked in the application execution logs in case of failure. Credentials are properly sanitized when the operation is successful but not when for whatever reason there is a failure in the maven repository, e.g. wrong coordinates provided, not existing artifact or version. Version 0.93.0 contains a patch for the issue.
Source
security-advisories@github.com
NVD status
Received

Risk scores

CVSS 3.0

Type
Secondary
Base score
7.1
Impact score
4
Exploitability score
2.5
Vector string
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-359

Social media

Hype score
Not currently trending

  1. CVE-2025-24355 Updatecli is a tool used to apply file update strategies. Prior to version 0.93.0, private maven repository credentials may be leaked in application logs in case of u… https://t.co/IcGdKCTvab

    @CVEnew

    24 Jan 2025

    215 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References