CVE-2022-39304
MEDIUMghinstallation < 2.0.0 - Sensitive Information Exposure via Error Message
Title source: llmDescription
ghinstallation provides transport, which implements http.RoundTripper to provide authentication as an installation for GitHub Apps. In ghinstallation version 1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging. The request contained the bearer JWT for the App, and was returned back to clients. This token is short lived (10 minute maximum). This issue has been patched and is available in version 2.0.0.
References (4)
Core 4
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/bradleyfalzon/ghinstallation/security/advisories/GHSA-h4q8-96p6-jcgr
Patch, Third Party Advisory x_refsource_misc
https://github.com/bradleyfalzon/ghinstallation/commit/d24f14f8be70d94129d76026e8b0f4f9170c8c3e
Technical Description, Third Party Advisory x_refsource_misc
https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation
Exploit, Third Party Advisory x_refsource_misc
https://github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transport.go#L172-L174
Scores
CVSS v3
5.0
EPSS
0.0038
EPSS Percentile
29.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-209
Status
published
Products (2)
bradleyfalzon/ghinstallation
0 - 2.0.0Go
ghinstallation_project/ghinstallation
< 2.0.0
Published
Dec 20, 2022
Tracked Since
Feb 18, 2026