Impact
Credentials in Environment stored in Lagoon APIs are exposed in build logs and could be seen by unwanted lagoon roles, as every role has access to the build logs, but not every role has access to the environment (where the environment variables can be seen)
Patches
In 2.0.0 the steps that previously displayed these variables as part of a variable search routine have been removed from the logs, wrapping them in a routine
Workarounds
Only users who wish to implement different levels of visibility for variables in their organisation are impacted.
References
For more information
If you have any questions or comments about this advisory:
tobybellwood Analyst
Impact
Credentials in Environment stored in Lagoon APIs are exposed in build logs and could be seen by unwanted lagoon roles, as every role has access to the build logs, but not every role has access to the environment (where the environment variables can be seen)
Patches
In 2.0.0 the steps that previously displayed these variables as part of a variable search routine have been removed from the logs, wrapping them in a routine
Workarounds
Only users who wish to implement different levels of visibility for variables in their organisation are impacted.
References
For more information
If you have any questions or comments about this advisory: