7.8

CVE-2025-66411

Exploit

Coder logged sensitive objects unsanitized

Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CoderCoder SwPlatformgo Version < 2.26.5
CoderCoder SwPlatformgo Version >= 2.27.0 < 2.27.7
CoderCoder SwPlatformgo Version >= 2.28.0 < 2.28.4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.2% 0.093
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://github.com/coder/coder/security/advisories/GHSA-jf75-p25m-pw74
Patch
Vendor Advisory
Exploit
https://github.com/coder/coder/commit/e2a46393fce40bc630df3293c1ee66a596277289
Patch
https://github.com/coder/coder/releases/tag/v2.26.5
Product
Release Notes
https://github.com/coder/coder/releases/tag/v2.27.7
Product
Release Notes
https://github.com/coder/coder/releases/tag/v2.28.4
Product
Release Notes