Publish GHSA-jm5j-jfrm-hm23

advisory-database[bot] · advisory-database[bot] · commit 605eb4319ae4 · 2026-01-13T20:34:02.000Z
diff --git a/advisories/github-reviewed/2026/01/GHSA-jm5j-jfrm-hm23/GHSA-jm5j-jfrm-hm23.json b/advisories/github-reviewed/2026/01/GHSA-jm5j-jfrm-hm23/GHSA-jm5j-jfrm-hm23.json
@@ -0,0 +1,72 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jm5j-jfrm-hm23",
+  "modified": "2026-01-13T20:30:54Z",
+  "published": "2026-01-13T20:30:54Z",
+  "aliases": [
+    "CVE-2026-22798"
+  ],
+  "summary": "hermes's raw options logging may disclose secrets passed in via subcommand options argument",
+  "details": "Thanks, @thunze for reporting this!\n\n`hermes` subcommands take arbitrary options under the `-O` argument. These have been logged in raw form since https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1 in: https://github.com/softwarepub/hermes/blob/3a92f42b2b976fdbc2c49a621de6d665364a7cee/src/hermes/commands/cli.py#L66\n\nIf users provide sensitive data such as API tokens (e.g., via `hermes deposit -O invenio_rdm.auth_token SECRET`), these are written to the log file in plain text, making them available to whoever can access the log file.\n\n### Impact\n\nAs currently, `hermes.log` is not yet uploaded automatically as an artifact in CI, this vuln impacts:\n\n- local users working on shared access computers, where logs may be written to a commonly accessible file system\n- CI users whose CI logs are accessible to others, e.g., through group or organization rights\n\nPotentially, if the changes merged from https://github.com/softwarepub/ci-templates/pull/13 are merged into `ci-templates` via https://github.com/softwarepub/ci-templates/pull/14, this would automate the disclosure of Invenio auth tokens at least for all CI runs against Invenio instances!\n\n### Patches\n\nThis has been patched in [`hermes` 0.9.1](TODO) by masking all values passed using `-O`.\n\n### Workarounds\n\nUpgrade to `hermes` >= 0.9.1.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "hermes"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.8.1"
+            },
+            {
+              "fixed": "0.9.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.9.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22798"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/softwarepub/hermes/commit/90cb86acd026e7841f2539ae7a1b284a7f263514"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/softwarepub/hermes"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-532"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-13T20:30:54Z",
+    "nvd_published_at": "2026-01-12T22:16:08Z"
+  }
+}
