CVE-2022-46155

Airtable.js is the JavaScript client for Airtable. Prior to version 0.11.6, Airtable.js had a misconfigured build script in its source package. When the build script is run, it would bundle environment variables into the build target of a transpiled bundle. Specifically, the AIRTABLE_API_KEY and AIRTABLE_ENDPOINT_URL environment variables are inserted during Browserify builds due to being referenced in Airtable.js code. This only affects copies of Airtable.js built from its source, not those installed via npm or yarn. Airtable API keys set in users’ environments via the AIRTABLE_API_KEY environment variable may be bundled into local copies of Airtable.js source code if all of the following conditions are met: 1) the user has cloned the Airtable.js source onto their machine, 2) the user runs the `npm prepare` script, and 3) the user' has the AIRTABLE_API_KEY environment variable set. If these conditions are met, a user’s local build of Airtable.js would be modified to include the value of the AIRTABLE_API_KEY environment variable, which could then be accidentally shipped in the bundled code. Users who do not meet all three of these conditions are not impacted by this issue. Users should upgrade to Airtable.js version 0.11.6 or higher; or, as a workaround unset the AIRTABLE_API_KEY environment variable in their shell and/or remove it from your .bashrc, .zshrc, or other shell configuration files. Users should also regenerate any Airtable API keys they use, as the keysy may be present in bundled code.
Configurations

Configuration 1 (hide)

cpe:2.3:a:airtable:airtable:*:*:*:*:*:node.js:*:*

History

07 Jul 2023, 19:04

Type Values Removed Values Added
References (CONFIRM) https://github.com/Airtable/airtable.js/security/advisories/GHSA-vqm5-9546-x25v - Third Party Advisory (CONFIRM) https://github.com/Airtable/airtable.js/security/advisories/GHSA-vqm5-9546-x25v - Vendor Advisory
References (MISC) https://github.com/Airtable/airtable.js/releases/tag/v0.11.6 - Third Party Advisory (MISC) https://github.com/Airtable/airtable.js/releases/tag/v0.11.6 - Release Notes
CWE CWE-522 CWE-312

02 Dec 2022, 18:57

Type Values Removed Values Added
References (CONFIRM) https://github.com/Airtable/airtable.js/security/advisories/GHSA-vqm5-9546-x25v - (CONFIRM) https://github.com/Airtable/airtable.js/security/advisories/GHSA-vqm5-9546-x25v - Third Party Advisory
References (MISC) https://github.com/Airtable/airtable.js/pull/330/commits/b468d8fe48d75e3d5fe46d0ea7770f4658951ed0 - (MISC) https://github.com/Airtable/airtable.js/pull/330/commits/b468d8fe48d75e3d5fe46d0ea7770f4658951ed0 - Patch, Third Party Advisory
References (MISC) https://github.com/Airtable/airtable.js/releases/tag/v0.11.6 - (MISC) https://github.com/Airtable/airtable.js/releases/tag/v0.11.6 - Third Party Advisory
CPE cpe:2.3:a:airtable:airtable:*:*:*:*:*:node.js:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.4

30 Nov 2022, 02:35

Type Values Removed Values Added
New CVE

Information

Published : 2022-11-29 23:15

Updated : 2024-02-04 23:14


NVD link : CVE-2022-46155

Mitre link : CVE-2022-46155

CVE.ORG link : CVE-2022-46155


JSON object : View

Products Affected

airtable

  • airtable
CWE
CWE-312

Cleartext Storage of Sensitive Information

CWE-522

Insufficiently Protected Credentials