How to fix CVE-2024-45391?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Is Tina affected by CVE-2024-45391?

Organizations using Tina face notable risk from CVE-2024-45391, a information exposure vulnerability rated CVSS 7.5. This could expose sensitive information including credentials, configuration data, or user records to unauthorized parties.

Tina CVE-2024-45391

HIGH

Information Exposure (CWE-200)

2024-09-03 [email protected]

GHSA-4qrm-9h4r-v2fx

Information Disclosure

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 13, 2026 - 20:30 vuln.today

Patch released

Mar 13, 2026 - 19:37 nvd

Patch available

CVE Published

Sep 03, 2024 - 20:15 nvd

HIGH 7.5

DescriptionNVD

Tina is an open-source content management system (CMS). Sites building with Tina CMS's command line interface (CLI) prior to version 1.6.2 that use a search token may be vulnerable to the search token being leaked via lock file (tina-lock.json). Administrators of Tina-enabled websites with search setup should rotate their key immediately. This issue has been patched in @tinacms/cli version 1.6.2. Upgrading and rotating the search token is required for the proper fix.

AnalysisAI

High-severity information disclosure vulnerability in Tina CMS's CLI tool (versions before 1.6.2) that exposes search tokens in the tina-lock.json file, allowing unauthorized access to sensitive authentication credentials. Attackers can exploit this remotely without authentication to steal search tokens from affected websites. With an EPSS score of 0.25%, real-world exploitation likelihood is relatively low despite the high CVSS score.

Technical ContextAI

The vulnerability affects the @tinacms/cli package for Node.js (CPE: cpe:2.3:a:ssw:tinacms\/cli:*:*:*:*:*:node.js:*:*), specifically versions prior to 1.6.2. This is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where the CLI tool inadvertently writes search authentication tokens to the tina-lock.json file during the build process. Lock files are typically committed to version control systems, making the exposed tokens accessible to anyone with repository access or if the repository is public.

RemediationAI

Immediate actions required: 1) Upgrade @tinacms/cli to version 1.6.2 or later (patch commit: https://github.com/tinacms/tinacms/commit/110f1ceea4574d636a64526648f7c8bf6539b26a), 2) Rotate all search tokens immediately after upgrading, 3) Review and remove any tina-lock.json files from public repositories or version control history that may contain exposed tokens. The vendor security advisory (https://github.com/tinacms/tinacms/security/advisories/GHSA-4qrm-9h4r-v2fx) provides additional guidance. No workarounds are available; patching and token rotation are mandatory.

CVE-2024-45391 vulnerability details – vuln.today

Back

Tina CVE-2024-45391

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code