CVE-2024-45391

Tina is an open-source content management system (CMS). Sites building with Tina CMS's command line interface (CLI) prior to version 1.6.2 that use a search token may be vulnerable to the search token being leaked via lock file (tina-lock.json). Administrators of Tina-enabled websites with search setup should rotate their key immediately. This issue has been patched in @tinacms/cli version 1.6.2. Upgrading and rotating the search token is required for the proper fix.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/tinacms/tinacms/commit/110f1ceea4574d636a64526648f7c8bf6539b26a	Patch
https://github.com/tinacms/tinacms/pull/4758	Issue Tracking
https://github.com/tinacms/tinacms/security/advisories/GHSA-4qrm-9h4r-v2fx	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tina:tina:*:*:*:*:*:*:*:*

History

12 Sep 2024, 20:13

Type	Values Removed	Values Added
CWE		CWE-312
First Time		Tina tina Tina
CPE		cpe:2.3:a:tina:tina::::::::
References	~~() https://github.com/tinacms/tinacms/commit/110f1ceea4574d636a64526648f7c8bf6539b26a -~~	() https://github.com/tinacms/tinacms/commit/110f1ceea4574d636a64526648f7c8bf6539b26a - Patch
References	~~() https://github.com/tinacms/tinacms/pull/4758 -~~	() https://github.com/tinacms/tinacms/pull/4758 - Issue Tracking
References	~~() https://github.com/tinacms/tinacms/security/advisories/GHSA-4qrm-9h4r-v2fx -~~	() https://github.com/tinacms/tinacms/security/advisories/GHSA-4qrm-9h4r-v2fx - Vendor Advisory

04 Sep 2024, 13:05

Type	Values Removed	Values Added
Summary		(es) Tina es un sistema de gestión de contenido (CMS) de código abierto. Los sitios creados con la interfaz de línea de comandos (CLI) de Tina CMS anterior a la versión 1.6.2 que utilizan un token de búsqueda pueden ser vulnerables a que el token de búsqueda se filtre a través del archivo de bloqueo (tina-lock.json). Los administradores de sitios web habilitados para Tina con configuración de búsqueda deben rotar su clave de inmediato. Este problema se ha corregido en la versión 1.6.2 de @tinacms/cli. Es necesario actualizar y rotar el token de búsqueda para solucionarlo correctamente.

03 Sep 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-03 20:15

Updated : 2024-09-12 20:13

NVD link : CVE-2024-45391

Mitre link : CVE-2024-45391

CVE.ORG link : CVE-2024-45391

JSON object : View

Products Affected

tina

tina

CWE

CWE-312

Cleartext Storage of Sensitive Information

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

7.5 /10