skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
December 22, 2022

GHSL-2022-061: Bearer token disclosure in ghinstallation - CVE-2022-39304

GitHub Security Lab

Coordinated Disclosure Timeline

Summary

Bearer token gets disclosed when there is an error during token renewal

Product

ghinstallation

Tested Version

Up to latest version (2.1.0)

Details

Issue: bearer token disclosed on error (GHSL-2022-061)

When an error is encountered during token renewal, the full bearer token for the app is printed. This output can make its way to a Slack channel or similar apps.

At transport:143:

// Token is not set or expired/nearly expired, so refresh
		if err := t.refreshToken(ctx); err != nil {
			return "", fmt.Errorf("could not refresh installation id %v's token: %w", t.installationID, err)
		}

Impact

This issue may lead to disclosure of the app token and hijacking of the app.

CVE

Resources

Credit

This issue was discovered and reported by GitHub team member @Miskerest (Mike Bailey).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-061 in any communication regarding this issue.