CVE-2023-6460

A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue

CVSS v3 4.0 MEDIUM

4.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.3 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/googleapis/nodejs-firestore/pull/1742	Issue Tracking Patch
https://github.com/googleapis/nodejs-firestore/pull/1742	Issue Tracking Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:google:cloud_firestore:*:*:*:*:*:node.js:*:*

History

21 Nov 2024, 08:43

Type	Values Removed	Values Added
References	~~() https://github.com/googleapis/nodejs-firestore/pull/1742 - Issue Tracking, Patch~~	() https://github.com/googleapis/nodejs-firestore/pull/1742 - Issue Tracking, Patch
CVSS	v2 : ~~unknown~~ v3 : ~~5.5~~	v2 : unknown v3 : 4.0

08 Dec 2023, 14:03

Type	Values Removed	Values Added
CWE		CWE-532
CPE		cpe:2.3:a:google:cloud_firestore::::::node.js::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
References	~~() https://github.com/googleapis/nodejs-firestore/pull/1742 -~~	() https://github.com/googleapis/nodejs-firestore/pull/1742 - Issue Tracking, Patch

04 Dec 2023, 13:48

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-04 13:15

Updated : 2024-11-21 08:43

NVD link : CVE-2023-6460

Mitre link : CVE-2023-6460

CVE.ORG link : CVE-2023-6460

JSON object : View

Products Affected

google

cloud_firestore

CWE

CWE-922

Insecure Storage of Sensitive Information

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2023-6460", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve-coordination@google.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.0, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2023-12-04T13:15:07.800", "references": [{"url": "https://github.com/googleapis/nodejs-firestore/pull/1742", "tags": ["Issue Tracking", "Patch"], "source": "cve-coordination@google.com"}, {"url": "https://github.com/googleapis/nodejs-firestore/pull/1742", "tags": ["Issue Tracking", "Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@google.com", "description": [{"lang": "en", "value": "CWE-922"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue"}, {"lang": "es", "value": "Existe un posible registro de la clave de Firestore a trav\u00e9s del registro dentro de nodejs-firestore: los desarrolladores que registraran objetos a trav\u00e9s de this._settings registrar\u00edan la clave de Firestore y potencialmente la expondr\u00edan a cualquier persona con acceso de lectura de registros. Recomendamos actualizar a la versi\u00f3n 6.1.0 para evitar este problema."}], "lastModified": "2024-11-21T08:43:54.233", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:google:cloud_firestore:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "78F1EFF8-1061-46D1-A756-72B080F6F17A", "versionEndExcluding": "6.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@google.com"}