Search criteria Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.

1 vulnerability by grunt-gh-pages_project

CVE-2016-10526 (GCVE-0-2016-10526)

Vulnerability from cvelistv5 – Published: 2018-05-31 20:00 – Updated: 2024-09-16 20:37
VLAI?
Summary
A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised.
Severity ?
No CVSS data available.
CWE
  • CWE-391 - Unchecked Error Condition (CWE-391)
Assigner
References
Impacted products
Vendor Product Version
HackerOne grunt-gh-pages node module Affected: <=0.9.1
Create a notification for this product.
Date Public ?
2018-04-26 00:00
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T03:21:52.150Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/tschaub/grunt-gh-pages/pull/41"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://nodesecurity.io/advisories/85"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grunt-gh-pages node module",
          "vendor": "HackerOne",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c=0.9.1"
            }
          ]
        }
      ],
      "datePublic": "2018-04-26T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions \u003c 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-391",
              "description": "Unchecked Error Condition (CWE-391)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-05-31T19:57:01.000Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tschaub/grunt-gh-pages/pull/41"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://nodesecurity.io/advisories/85"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "DATE_PUBLIC": "2018-04-26T00:00:00",
          "ID": "CVE-2016-10526",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "grunt-gh-pages node module",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c=0.9.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "HackerOne"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions \u003c 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Unchecked Error Condition (CWE-391)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/tschaub/grunt-gh-pages/pull/41",
              "refsource": "MISC",
              "url": "https://github.com/tschaub/grunt-gh-pages/pull/41"
            },
            {
              "name": "https://nodesecurity.io/advisories/85",
              "refsource": "MISC",
              "url": "https://nodesecurity.io/advisories/85"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2016-10526",
    "datePublished": "2018-05-31T20:00:00.000Z",
    "dateReserved": "2017-10-29T00:00:00.000Z",
    "dateUpdated": "2024-09-16T20:37:56.998Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}