GHSL-2022-061: Bearer token disclosure in ghinstallation - CVE-2022-39304

Coordinated Disclosure Timeline

• 2022-07-28: Issue reported to brad AT teambrad.net.
• 2022-09-06: A draft GitHub Security Advisory is opened to discuss the issue.

• 2022-12-19: The GHSA is published.

• 2022-09-05: Filed open issue to request security contact
• 2022-09-06: GHSA was created and details were shared with the maintainers

Summary

Bearer token gets disclosed when there is an error during token renewal

Product

ghinstallation

Tested Version

Up to latest version (2.1.0)

Details

Issue: bearer token disclosed on error (GHSL-2022-061)

When an error is encountered during token renewal, the full bearer token for the app is printed. This output can make its way to a Slack channel or similar apps.

At transport:143:

// Token is not set or expired/nearly expired, so refresh
		if err := t.refreshToken(ctx); err != nil {
			return "", fmt.Errorf("could not refresh installation id %v's token: %w", t.installationID, err)
		}

Impact

This issue may lead to disclosure of the app token and hijacking of the app.

CVE

• CVE-2022-39304

Resources

• Security advisory

Credit

This issue was discovered and reported by GitHub team member @Miskerest (Mike Bailey).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-061 in any communication regarding this issue.