Cyber Resilience

CVE-2022-46155

High

Published: 29 November 2022

Published
29 November 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0020 41.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-46155 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Airtable Airtable. Its CVSS base score is 7.6 (High).

Operationally, ranked at the 41.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Airtable.js is the JavaScript client for Airtable. Prior to version 0.11.6, Airtable.js had a misconfigured build script in its source package. When the build script is run, it would bundle environment variables into the build target of a transpiled bundle.…

more

Specifically, the AIRTABLE_API_KEY and AIRTABLE_ENDPOINT_URL environment variables are inserted during Browserify builds due to being referenced in Airtable.js code. This only affects copies of Airtable.js built from its source, not those installed via npm or yarn. Airtable API keys set in users’ environments via the AIRTABLE_API_KEY environment variable may be bundled into local copies of Airtable.js source code if all of the following conditions are met: 1) the user has cloned the Airtable.js source onto their machine, 2) the user runs the `npm prepare` script, and 3) the user' has the AIRTABLE_API_KEY environment variable set. If these conditions are met, a user’s local build of Airtable.js would be modified to include the value of the AIRTABLE_API_KEY environment variable, which could then be accidentally shipped in the bundled code. Users who do not meet all three of these conditions are not impacted by this issue. Users should upgrade to Airtable.js version 0.11.6 or higher; or, as a workaround unset the AIRTABLE_API_KEY environment variable in their shell and/or remove it from your .bashrc, .zshrc, or other shell configuration files. Users should also regenerate any Airtable API keys they use, as the keysy may be present in bundled code.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

airtable
airtable
≤ 0.11.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-312 CWE-522

Requiring confidentiality protection for information at rest eliminates cleartext storage of sensitive data on persistent media.

addresses: CWE-522

Training instructs users on protecting credentials from disclosure or unauthorized access.

addresses: CWE-312

Training on secure data handling discourages cleartext storage of sensitive information.

addresses: CWE-522

Training records for security awareness and role-based training verify education on credential protection practices, tangibly reducing risks from mishandling or exposing credentials.

addresses: CWE-312

Data action mapping can detect storage actions that leave sensitive information in cleartext.

addresses: CWE-312

Configuration policies can mandate secure storage methods to avoid cleartext storage of sensitive information.

addresses: CWE-522

Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials.

addresses: CWE-312

Policy requires protection measures such as encryption for sensitive data stored on media, preventing cleartext exposure.

References