Open-IRS Robot Exposed Sensitive Data Due to Misconfigured Git Repository

CVECVE-2024-24757
CVSScvssV3_1: 7.6
SourceCVE-2024-24757

The open-source issue response robot open-irs had a vulnerability where its GitHub repository accidentally uploaded a `.env` file containing sensitive authentication keys that could be used to access third party services.

The CVE assigned to this issue is CVE-2024-24757 and has a CVSS score of 7.6, meaning it is a high severity issue. Anyone who cloned the open-irs repository would have access to these secret keys simply by looking in the `.env` file.

Attackers could have used these keys to impersonate the open-irs robot and respond to issues maliciously. They may have also been able to access third party services like GitHub if they used the OAuth tokens in the file.

Luckily the developers were quick to address this and released version 1.0.1 which removes the `.env` file and switches any sensitive values to GitHub secrets instead.

If you use any open source tools, be sure to check for misconfigured files or secrets exposed in repositories. Always use GitHub secrets or environment variables to store authentication keys rather than committing them to code. And keep an eye out for security updates from projects you depend on.

References