{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-04T08:31:50.196","vulnerabilities":[{"cve":{"id":"CVE-2022-46155","sourceIdentifier":"security-advisories@github.com","published":"2022-11-29T23:15:10.473","lastModified":"2024-11-21T07:30:13.207","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Airtable.js is the JavaScript client for Airtable. Prior to version 0.11.6, Airtable.js had a misconfigured build script in its source package. When the build script is run, it would bundle environment variables into the build target of a transpiled bundle. Specifically, the AIRTABLE_API_KEY and AIRTABLE_ENDPOINT_URL environment variables are inserted during Browserify builds due to being referenced in Airtable.js code. This only affects copies of Airtable.js built from its source, not those installed via npm or yarn. Airtable API keys set in users’ environments via the AIRTABLE_API_KEY environment variable may be bundled into local copies of Airtable.js source code if all of the following conditions are met: 1) the user has cloned the Airtable.js source onto their machine, 2) the user runs the `npm prepare` script, and 3) the user' has the AIRTABLE_API_KEY environment variable set. If these conditions are met, a user’s local build of Airtable.js would be modified to include the value of the AIRTABLE_API_KEY environment variable, which could then be accidentally shipped in the bundled code. Users who do not meet all three of these conditions are not impacted by this issue. Users should upgrade to Airtable.js version 0.11.6 or higher; or, as a workaround unset the AIRTABLE_API_KEY environment variable in their shell and/or remove it from your .bashrc, .zshrc, or other shell configuration files. Users should also regenerate any Airtable API keys they use, as the keysy may be present in bundled code."},{"lang":"es","value":"Airtable.js es el cliente JavaScript para Airtable. Antes de la versión 0.11.6, Airtable.js tenía un script de compilación mal configurado en su paquete fuente. Cuando se ejecuta el script de compilación, agrupará variables de entorno en el destino de compilación de un paquete transpilado. Específicamente, las variables de entorno AIRTABLE_API_KEY y AIRTABLE_ENDPOINT_URL se insertan durante las compilaciones de Browserify debido a que se hace referencia a ellas en el código Airtable.js. Esto solo afecta a las copias de Airtable.js creadas desde su fuente, no a las instaladas mediante npm o Yarn. ¿Claves API de Airtable configuradas en los usuarios? Los entornos a través de la variable de entorno AIRTABLE_API_KEY se pueden incluir en copias locales del código fuente de Airtable.js si se cumplen todas las condiciones siguientes: \n1) el usuario ha clonado el código fuente de Airtable.js en su máquina, \n2) el usuario ejecuta el script  `npm prepare`, y \n3) el usuario tiene configurada la variable de entorno AIRTABLE_API_KEY. \nSi se cumplen estas condiciones, la compilación local de Airtable.js de un usuario se modificaría para incluir el valor de la variable de entorno AIRTABLE_API_KEY, que luego podría enviarse accidentalmente en el código incluido. Los usuarios que no cumplan con estas tres condiciones no se verán afectados por este problema. Los usuarios deben actualizar a Airtable.js versión 0.11.6 o superior; o, como workaround, desactive la variable de entorno AIRTABLE_API_KEY en su shell y/o elimínela de sus archivos de configuración .bashrc, .zshrc u otros archivos de configuración de shell. Los usuarios también deben volver a generar cualquier clave API de Airtable que utilicen, ya que la clave puede estar presente en el código incluido."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H","baseScore":6.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":0.5,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-522"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-312"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:airtable:airtable:*:*:*:*:*:node.js:*:*","versionEndExcluding":"0.11.6","matchCriteriaId":"ACDB1006-0566-4749-B53F-33E6DC6D2A9B"}]}]}],"references":[{"url":"https://github.com/Airtable/airtable.js/pull/330/commits/b468d8fe48d75e3d5fe46d0ea7770f4658951ed0","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/Airtable/airtable.js/releases/tag/v0.11.6","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/Airtable/airtable.js/security/advisories/GHSA-vqm5-9546-x25v","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://github.com/Airtable/airtable.js/pull/330/commits/b468d8fe48d75e3d5fe46d0ea7770f4658951ed0","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/Airtable/airtable.js/releases/tag/v0.11.6","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes"]},{"url":"https://github.com/Airtable/airtable.js/security/advisories/GHSA-vqm5-9546-x25v","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]}]}}]}