Impact
There is an information leak when using Garden in dev mode or watch mode, including the deprecated hot-reload mode.
When in the above mentioned modes, Garden leaks all environment variables within the application and the configurations required to build the application and cloud environment. This may include sensitive information.
The configuration is leaked through the /api endpoint on the local server that is responsible for serving the Garden dashboard.
At the moment, this server is accessible to 0.0.0.0 which makes it accessible to anyone on the same network (or anyone on the internet if they are on a public, static IP).
Impact: Ability to compromise credentials, secrets or environment variables when on the same network as the user.
Patches
The problem has been patched in version 0.12.39.
Workarounds
Apply a firewall configuration that blocks access from everywhere except localhost to port 9777.
For more information
If you have any questions or comments about this advisory:
h4sh5 Analyst
Impact
There is an information leak when using Garden in dev mode or watch mode, including the deprecated hot-reload mode.
When in the above mentioned modes, Garden leaks all environment variables within the application and the configurations required to build the application and cloud environment. This may include sensitive information.
The configuration is leaked through the /api endpoint on the local server that is responsible for serving the Garden dashboard.
At the moment, this server is accessible to 0.0.0.0 which makes it accessible to anyone on the same network (or anyone on the internet if they are on a public, static IP).
Impact: Ability to compromise credentials, secrets or environment variables when on the same network as the user.
Patches
The problem has been patched in version 0.12.39.
Workarounds
Apply a firewall configuration that blocks access from everywhere except localhost to port 9777.
For more information
If you have any questions or comments about this advisory: