CVE-2024-52582 MEDIUM

CVE-2024-52582: cachi2 allows traceback prints locals

Vendor Containerbuildsystem
Product cachi2
Weakness CWE-497
Published November 19, 2024
Last update November 19, 2024

CVSS base score

4.7/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Cachi2 is a command-line interface tool that pre-fetches a project's dependencies to aid in making the project's build process network-isolated. Prior to version 0.14.0, secrets may be shown in logs when an unhandled exception is triggered because the tool is logging locals of each function. This may uncover secrets if tool used in CI/build pipelines as it's the main use case. Version 0.14.0 contains a patch for the issue. No known workarounds are available.

Key dates

02Disclosure timeline

November 19, 2024 CVE published
November 19, 2024 Record updated