Unprotected Storage of Credentials in hstm/dotfiles
May 28th 2021
Owner of this Github repo has inadvertently committed their .pgpass file which contains login information for a localhost PostgreSQL server. We suggest the owner of this Github repo deletes the file from the repo, adds
.pgpass to their .gitignore and changes their localhost PostgreSQL password so this cannot be chained with other vulnerabilities to expose data.
🕵️♂️ Proof of Concept
This vulnerability is capable of exposing localhost PostgreSQL credentials and whatever information is associated with said database(s).