=================================================================== CERT-Renater Note d'Information No. 2022/VULN441 _____________________________________________________________________ DATE : 05/12/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running airtable (npm) versions prior to 0.11.6. ====================================================================https://github.com/Airtable/airtable.js/security/advisories/GHSA-vqm5-9546-x25v _____________________________________________________________________ Credentials exposed in browser builds High davidmally-at published GHSA-vqm5-9546-x25v Package airtable (npm) Affected versions < 0.11.5 Patched versions > = 0.11.6 Description Summary Airtable.js had a misconfigured build script in its source package. When the build script is run, it would bundle environment variables into the build target of a transpiled bundle. Specifically, the AIRTABLE_API_KEY and AIRTABLE_ENDPOINT_URL environment variables are inserted during Browserify builds due to being referenced in Airtable.js code. This only affects copies of Airtable.js built from its source, not those installed via npm or yarn. Impact Airtable API keys set in users’ environments via the AIRTABLE_API_KEY environment variable may be bundled into local copies of Airtable.js source code if all of the following conditions are met: 1) the user has cloned the Airtable.js source onto their machine, 2) the user runs the npm prepare script, and 3) the user' has the AIRTABLE_API_KEY environment variable set. If these conditions are met, a user’s local build of Airtable.js would be modified to include the value of the AIRTABLE_API_KEY environment variable, which could then be accidentally shipped in the bundled code. Users who do not meet all three of these conditions are not impacted by this issue. Recommendations Take one of the following steps: a) Upgrade to Airtable.js version 0.11.6 or higher; or b) Unset the AIRTABLE_API_KEY environment variable in your shell and/or remove it from your .bashrc, .zshrc, or other shell configuration files. Regenerate any Airtable API keys you use (via https://airtable.com/account), as they may be present in bundled code. References Fix commit Severity High 7.6/ 10 CVSS base metrics Attack vector Network Attack complexity High Privileges required High User interaction Required Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H CVE ID CVE-2022-46155 Weaknesses CWE-522 ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================