GHSA-h4q8-96p6-jcgr: ghinstallation returns app JWT in error responses

Package

gomod github.com/bradleyfalzon/ghinstallation (Go)

Affected versions

< 2.0.0

Patched versions

2.0.0

Description

Impact

In ghinstallation v1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging.

https://github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transport.go#L172-L174

The request contained the bearer JWT for the App, and was returned back to clients. This token is short lived (10 minute maximum).

Patches

• This has already been patched in d24f14f8be70d94129d76026e8b0f4f9170c8c3e, and is available in releases >= v2.0.0.

References

Are there any links users can visit to find out more?

• See https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation for the App installation flow.

For more information

If you have any questions or comments about this advisory:

• Open an issue in ghinstallation

References

• GHSA-h4q8-96p6-jcgr
• bradleyfalzon/ghinstallation@d24f14f
• https://github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transport.go#L172-L174

bradleyfalzon published the maintainer security advisory

Dec 19, 2022

Severity

Moderate

5.0

/ 10

CVSS base metrics

Attack vector

Local

Attack complexity

High

Privileges required

Low

User interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

Low

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:L

Weaknesses

CWE-209

CVE ID

CVE-2022-39304

GHSA ID

GHSA-h4q8-96p6-jcgr

Source code

bradleyfalzon/ghinstallation

Credits

• Miskerest

Checking history

See something to contribute? Suggest improvements for this vulnerability.