Vulnerability DatabaseCVE-2023-34097

CVE-2023-34097:
Homebrew vulnerability analysis and mitigation

Overview

Hoppscotch, an open source API development ecosystem, was found to expose database passwords in logs when showing the database connection string in versions prior to 2023.4.5. The vulnerability (CVE-2023-34097) was discovered and disclosed in June 2023. The issue affects all versions of Hoppscotch up to and including version 2023.4.4 (GitHub Advisory).

Technical details

The vulnerability is classified as CWE-532 (Insertion of Sensitive Information into Log File). When running the application, the database connection string containing credentials was being logged, exposing sensitive authentication information. The vulnerability received a CVSS v3.1 base score of 7.8 (High) from GitHub and 8.8 (High) from NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Impact

Attackers with access to read system logs would be able to elevate privileges with full access to the database. This could lead to unauthorized database access, potential data breaches, and compromise of sensitive information stored in the database (GitHub Advisory).

Mitigation and workarounds

Users are advised to upgrade to version 2023.4.5 or later which removes the database connection string from the logs. The fix was implemented by removing the logging of DATABASE_URL from the main.ts file (GitHub Patch). There are no known workarounds for this vulnerability.

Additional resources

Source: This report was generated using AI

Related Homebrew vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-22861	HIGH	8.8	Homebrew	iccdev	No	Yes	Jan 13, 2026
CVE-2026-22776	HIGH	8.7	Homebrew	cpp-httplib	No	Yes	Jan 12, 2026
CVE-2026-22783	HIGH	8.1	NixOS	iris	No	Yes	Jan 12, 2026
CVE-2026-21283	HIGH	7.8	Adobe Bridge	bridge	No	Yes	Jan 13, 2026
CVE-2026-22784	LOW	2.3	NixOS	lychee	No	Yes	Jan 12, 2026