Coordinated Disclosure Timeline

Summary

Bearer token gets disclosed when there is an error during token renewal

Product

ghinstallation

Tested Version

Up to latest version (2.1.0)

Details

Issue: bearer token disclosed on error (GHSL-2022-061)

When an error is encountered during token renewal, the full bearer token for the app is printed. This output can make its way to a Slack channel or similar apps.

At transport:143:

// Token is not set or expired/nearly expired, so refresh
		if err := t.refreshToken(ctx); err != nil {
			return "", fmt.Errorf("could not refresh installation id %v's token: %w", t.installationID, err)
		}

Impact

This issue may lead to disclosure of the app token and hijacking of the app.

CVE

Resources

Credit

This issue was discovered and reported by GitHub team member @Miskerest (Mike Bailey).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-061 in any communication regarding this issue.