x/vulndb: potential Go vuln in github.com/updatecli/updatecli: GHSA-v34r-vj4r-38j6

[GoVulnBot]

Advisory GHSA-v34r-vj4r-38j6 references a vulnerability in the following Go modules:

Module
github.com/updatecli/updatecli

Description:

Summary

Private maven repository credentials leaked in application logs in case of unsuccessful retrieval operation.

Details

During the execution of an updatecli pipeline which contains a maven source configured with basic auth credentials, the credentials are being leaked in the application execution logs in case of failure.

Credentials are properly sanitized when the operation is successful but not when for whatever reason there is a failure in the maven repository .e.g. wrong coordinates provided, not existing artifact or version.

PoC

The [documentation](https://www.upda...

References:

• ADVISORY: GHSA-v34r-vj4r-38j6
• ADVISORY: GHSA-v34r-vj4r-38j6
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-24355
• FIX: updatecli/updatecli@344b280
• WEB: https://www.updatecli.io/docs/plugins/resource/maven

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/updatecli/updatecli
      versions:
        - fixed: 0.93.0
      vulnerable_at: 0.92.0
summary: Updatecli exposes Maven credentials in console output in github.com/updatecli/updatecli
cves:
    - CVE-2025-24355
ghsas:
    - GHSA-v34r-vj4r-38j6
references:
    - advisory: https://github.com/advisories/GHSA-v34r-vj4r-38j6
    - advisory: https://github.com/updatecli/updatecli/security/advisories/GHSA-v34r-vj4r-38j6
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-24355
    - fix: https://github.com/updatecli/updatecli/commit/344b28091ffeca5ed32e8d0f9eda542842fcd3fa
    - web: https://www.updatecli.io/docs/plugins/resource/maven
source:
    id: GHSA-v34r-vj4r-38j6
    created: 2025-01-24T19:02:02.894843296Z
review_status: UNREVIEWED