Coordinated Disclosure Timeline
- 2022-07-28: Issue reported to
brad AT teambrad.net
. - 2022-09-06: A draft GitHub Security Advisory is opened to discuss the issue.
-
2022-12-19: The GHSA is published.
- 2022-09-05: Filed open issue to request security contact
- 2022-09-06: GHSA was created and details were shared with the maintainers
Summary
Bearer token gets disclosed when there is an error during token renewal
Product
ghinstallation
Tested Version
Up to latest version (2.1.0)
Details
Issue: bearer token disclosed on error (GHSL-2022-061
)
When an error is encountered during token renewal, the full bearer token for the app is printed. This output can make its way to a Slack channel or similar apps.
At transport:143:
// Token is not set or expired/nearly expired, so refresh
if err := t.refreshToken(ctx); err != nil {
return "", fmt.Errorf("could not refresh installation id %v's token: %w", t.installationID, err)
}
Impact
This issue may lead to disclosure of the app token and hijacking of the app.
CVE
- CVE-2022-39304
Resources
Credit
This issue was discovered and reported by GitHub team member @Miskerest (Mike Bailey).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2022-061
in any communication regarding this issue.