@rage-against-the-pixel/unity-cli Plaintext Credential Exposure Vulnerability in Sign-Package Command

A vulnerability exists in the command-line utility '@rage-against-the-pixel/unity-cli' for the Unity Game Engine, specifically in versions prior to 1.8.2. The issue arises in the 'sign-package' command, which logs sensitive credentials, such as passwords, in plaintext when the '--verbose' flag is used. This unmasked information is then exposed to shell history, CI/CD logs, and log aggregation systems. The vulnerability requires users to manually enable the verbose flag while providing credential arguments, creating a significant risk in automated and shared environments.

Impact

Exposing Unity account passwords in plaintext when the 'sign-package' command is run with the '--verbose' flag and credential arguments.

Reproduction

To reproduce this vulnerability, run the 'sign-package' command in versions of '@rage-against-the-pixel/unity-cli' prior to 1.8.2' with the '--verbose' flag, including the '--email' and '--password' arguments. This will trigger the logging of sensitive credentials in plaintext.

Remediation

Users should update to version 1.8.2 or later. For those using GitHub Actions, RageAgainstThePixel and Buildalon actions are unaffected as they rely on environment variables for credentials. Otherwise, use the 'UNITY_USERNAME' and 'UNITY_PASSWORD' environment variables instead of command-line arguments.