Vulnerability Report: GO-2022-1178
- CVE-2022-39304, GHSA-h4q8-96p6-jcgr
- Affects: github.com/bradleyfalzon/ghinstallation
- Published: Dec 22, 2022
- Modified: May 20, 2024
Errors returned by ghinstallation.Transport can include the JWT used for the failed operation. If the error is exposed to an untrusted party, this JWT could be extracted and used to authenticate further requests.
For detailed information about this vulnerability, visit https://github.com/bradleyfalzon/ghinstallation/security/advisories/GHSA-h4q8-96p6-jcgr.
Affected Packages
-
PathGo VersionsSymbols
-
before v1.1.2-0.20210308182858-d24f14f8be70
Aliases
References
- https://github.com/bradleyfalzon/ghinstallation/security/advisories/GHSA-h4q8-96p6-jcgr
- https://github.com/bradleyfalzon/ghinstallation/commit/d24f14f8be70d94129d76026e8b0f4f9170c8c3e
- https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation
- https://vuln.go.dev/ID/GO-2022-1178.json
Credits
- @Miskerest
Feedback
See anything missing or incorrect?
Suggest an edit to this report.