Information Disclosure

2022-12-2005:04:23

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

information disclosure

github

installation token

refresh

vulnerability

software

0.0004 Low

EPSS

Percentile

15.7%

JSON

github.com/bradleyfalzon/ghinstallation is vulnerable to information disclosure. The vulnerability exists in the refreshToken function of transport.go, when the request to refresh an installation token fails, it allows an attacker to gain sensitive information through the error message.

CPENameOperatorVersion
github.com/bradleyfalzon/ghinstallationlev1.1.1
github.com/bradleyfalzon/ghinstallationlev1.1.1

CPE	Name	Operator	Version
	github.com/bradleyfalzon/ghinstallation	le	v1.1.1
	github.com/bradleyfalzon/ghinstallation	le	v1.1.1

References

docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation

github.com/advisories/GHSA-h4q8-96p6-jcgr

github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transport.go#L172-L174

github.com/bradleyfalzon/ghinstallation/commit/d24f14f8be70d94129d76026e8b0f4f9170c8c3e

github.com/bradleyfalzon/ghinstallation/pull/44

github.com/bradleyfalzon/ghinstallation/security/advisories/GHSA-h4q8-96p6-jcgr

0.0004 Low

EPSS

Percentile

15.7%

JSON

Related for VERACODE:38534