CVE-2024-23840: 
NixOS vulnerability analysis and mitigation

GoReleaser version 1.23.0 contains a security vulnerability where secret values used in custom publishers are exposed in debug logs. The vulnerability was discovered and disclosed on January 29, 2024, affecting the GoReleaser tool which builds Go binaries for multiple platforms and creates GitHub releases. This issue has been assigned CVE-2024-23840 and has been fixed in version 1.24.0 (GitHub Advisory).

When running GoReleaser with the --debug flag (i.e., goreleaser release --debug), the tool logs environment variables and command execution details that may contain sensitive information. This occurs specifically when using custom publishers with secret values in the environment variables. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local access is required but no user interaction is needed to exploit the vulnerability (NVD).

The vulnerability could lead to the exposure of sensitive information such as secret values and GitHub tokens through debug logs. This information disclosure could potentially compromise security credentials and access tokens used in the build and release process (GitHub Advisory).

Users should upgrade to GoReleaser version 1.24.0 or later, which contains the fix for this vulnerability. The fix involves removing sensitive environment variable values from debug logs (GitHub Patch).