CVE-2024-45391

03.09.2024, 20:15

Tina is an open-source content management system (CMS). Sites building with Tina CMS's command line interface (CLI) prior to version 1.6.2 that use a search token may be vulnerable to the search token being leaked via lock file (tina-lock.json). Administrators of Tina-enabled websites with search setup should rotate their key immediately. This issue has been patched in @tinacms/cli version 1.6.2. Upgrading and rotating the search token is required for the proper fix.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
GitHub_M	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 25%

Vendor	Product	Version
tina	tina	𝑥 < 1.6.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

References

https://github.com/tinacms/tinacms/commit/110f1ceea4574d636a64526648f7c8bf6539b26a

https://github.com/tinacms/tinacms/pull/4758

https://github.com/tinacms/tinacms/security/advisories/GHSA-4qrm-9h4r-v2fx