5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:L
0.0004 Low
EPSS
Percentile
15.7%
In ghinstallation v1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging.
The request contained the bearer JWT for the App, and was returned back to clients. This token is short lived (10 minute maximum).
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
github.com/bradleyfalzon/ghinstallation | lt | 2.0.0 |
docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation
github.com/bradleyfalzon/ghinstallation
github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transport.go#L172-L174
github.com/bradleyfalzon/ghinstallation/commit/d24f14f8be70d94129d76026e8b0f4f9170c8c3e
github.com/bradleyfalzon/ghinstallation/security/advisories/GHSA-h4q8-96p6-jcgr
nvd.nist.gov/vuln/detail/CVE-2022-39304
pkg.go.dev/vuln/GO-2022-1178
securitylab.github.com/advisories/GHSL-2022-061_ghinstallation