CVE-2016-10526

HIGH

grunt-gh-pages < 0.9.1 - Unauthenticated Credential Exposure via Logging Function

Title source: llm
STIX 2.1

Description

A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised.

References (2)

Core 2
Core References
Third Party Advisory x_refsource_misc
https://github.com/tschaub/grunt-gh-pages/pull/41
Third Party Advisory x_refsource_misc
https://nodesecurity.io/advisories/85

Scores

CVSS v3 8.6
EPSS 0.0164
EPSS Percentile 73.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Details

CWE
CWE-255 CWE-391 CWE-532
Status published
Products (2)
grunt-gh-pages_project/grunt-gh-pages < 0.9.1
npm/grunt-gh-pages 0 - 0.10.0npm
Published May 31, 2018
Tracked Since Feb 18, 2026