Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go

2024-07-0520:07:01

CWE-200

GitHub Advisory Database

github.com

grpc metadata

pii concern

logs

github

tokens

affected versions

patches

workarounds

upgrade

printing

private information

software

AI Score

7.1

Confidence

Low

JSON

Impact

This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.

Patches

The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0

Workarounds

If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.

Affected configurations

Vulners

Node

google.golang.orggrpcRange<1.64.1

VendorProductVersionCPE
google.golang.orggrpc*cpe:2.3:a:google.golang.org:grpc:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
google.golang.org	grpc	*	cpe:2.3:a:google.golang.org:grpc::::::::

References

github.com/advisories/GHSA-xr7q-jx4m-x55m

github.com/grpc/grpc-go/commit/ab292411ddc0f3b7a7786754d1fe05264c3021eb

github.com/grpc/grpc-go/security/advisories/GHSA-xr7q-jx4m-x55m

AI Score

7.1

Confidence

Low

JSON