CVE-2022-39304

ghinstallation returns app JWT in error responses

CVSS 5 MEDIUMEPSS 0.4%CWE-209

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

20 Dec 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

ghinstallation provides transport, which implements http.RoundTripper to provide authentication as an installation for GitHub Apps. In ghinstallation version 1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging. The request contained the bearer JWT for the App, and was returned back to clients. This token is short lived (10 minute maximum). This issue has been patched and is available in version 2.0.0.

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:L

Affected products

bradleyfalzon · ghinstallation

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation https://github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transport.go#L172-L174 https://github.com/bradleyfalzon/ghinstallation/commit/d24f14f8be70d94129d76026e8b0f4f9170c8c3e https://github.com/bradleyfalzon/ghinstallation/security/advisories/GHSA-h4q8-96p6-jcgr