github.com/bradleyfalzon/ghinstallation is vulnerable to information disclosure. The vulnerability exists in the refreshToken
function of transport.go
, when the request to refresh an installation token fails, it allows an attacker to gain sensitive information through the error message.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/bradleyfalzon/ghinstallation | le | v1.1.1 | |
github.com/bradleyfalzon/ghinstallation | le | v1.1.1 |
docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation
github.com/advisories/GHSA-h4q8-96p6-jcgr
github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transport.go#L172-L174
github.com/bradleyfalzon/ghinstallation/commit/d24f14f8be70d94129d76026e8b0f4f9170c8c3e
github.com/bradleyfalzon/ghinstallation/pull/44
github.com/bradleyfalzon/ghinstallation/security/advisories/GHSA-h4q8-96p6-jcgr