Homepage
About Snyk

Insufficiently Protected Credentials Affecting airtable package, versions <0.11.6

0.0
high

Snyk CVSS

    Attack Complexity High
    Privileges Required High
    User Interaction Required
    Scope Changed
    Confidentiality High
    Integrity High

    Threat Intelligence

    EPSS 0.17% (53rd percentile)
Expand this section
NVD
6.4 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-AIRTABLE-3150819
  • published 30 Nov 2022
  • disclosed 30 Nov 2022
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 30 Nov 2022

CVE-2022-46155 Open this link in a new tab
CWE-522 Open this link in a new tab

How to fix?

Upgrade airtable to version 0.11.6 or higher.

Overview

airtable is a javascript client for Airtable.

Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to the usage of misconfigured build script in its source package, which bundles environment variables (AIRTABLE_API_KEY and AIRTABLE_ENDPOINT_URL) into the build target of a transpiled bundle.

NOTE: This vulnerability is relevant only if all of the following conditions are met:

  1. the user has cloned the Airtable.js source onto their machine.

  2. the user runs the npm prepare script

  3. the user has the AIRTABLE_API_KEY environment variable set.

Workaround

  1. Unset the AIRTABLE_API_KEY environment variable in your shell and/or remove it from your .bashrc, .zshrc, or other shell configuration files.

Recommendations

Regenerate any Airtable API keys you use via https://airtable.com/account, as they may be present in bundled code.