Primary

Context

Acme.sh Docker Image Credential Persistence Vulnerability

Vulnerability

A vulnerability exists in the Docker image from acme.sh, prior to the commit 40b6db6, which is based on a workflow file for GitHub Actions. The vulnerability arises because the workflow file does not include the 'persist-credentials: false' option for the actions/checkout step. This omission can lead to unintended credential persistence, potentially allowing for credential leakage or misuse.

Impact

The lack of proper credential management can lead to unauthorized access or manipulation of resources, as credentials may be inadvertently exposed or retained longer than necessary.

Remediation

Users can update to the acme.sh Docker image version that includes the necessary credential management. Instructions for building the Docker image with the correct configuration are available in the acme.sh repository.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

2.5

exploitability

5.3

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

2.5

exploitability

5.3

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Acme.sh Docker Image Credential Persistence Vulnerability

Vulnerability

Impact

Remediation

Affected Products

acme.sh

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating