GHSA-36RH-GGPR-J3GJ

Vulnerability from github – Published: 2020-09-14 16:38 – Updated: 2022-08-11 13:19
VLAI?
Summary
Renovate vulnerable to Azure DevOps token leakage in logs
Details

Impact

Applies to Azure DevOps users only. The bot's token may be exposed in server or pipeline logs due to the http.extraheader=AUTHORIZATION parameter being logged without redaction. It is recommended that Azure DevOps users revoke their existing bot credentials and generate new ones after upgrading if there's a potential that logs have been saved to a location that others can view.

Patches

Fixed in

Workarounds

Do not share Renovate logs with anyone who cannot be trusted with access to the token.

Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "renovate"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.180.0"
            },
            {
              "fixed": "23.25.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2020-09-14T16:38:10Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nApplies to Azure DevOps users only. The bot\u0027s token may be exposed in server or pipeline logs due to the `http.extraheader=AUTHORIZATION` parameter being logged without redaction. It is recommended that Azure DevOps users revoke their existing bot credentials and generate new ones after upgrading if there\u0027s a potential that logs have been saved to a location that others can view.\n\n### Patches\n\nFixed in \n\n### Workarounds\n\nDo not share Renovate logs with anyone who cannot be trusted with access to the token.\n",
  "id": "GHSA-36rh-ggpr-j3gj",
  "modified": "2022-08-11T13:19:15Z",
  "published": "2020-09-14T16:38:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/renovatebot/renovate/security/advisories/GHSA-36rh-ggpr-j3gj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/renovatebot/renovate"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Renovate vulnerable to Azure DevOps token leakage in logs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.