Описание
BBOT's git_clone.py can expose users' GitHub API keys to an attacker-controlled webserver
Summary
Due to unsafe URL handling, bbot's git_clone.py can be made to leak a user's github.com API key to an attacker-controlled webserver.
Impact
A user who has placed their github.com API key in the configuration for any of the following modules:
github_codesearchgithub_workflowsgitlabgit_clonegithub_usersearchgithub_org
may leak it to an untrustworthy server.
Ссылки
Пакеты
Наименование
bbot
pip
Затронутые версииВерсия исправления
< 2.7.0
2.7.0
Связанные уязвимости
CVSS3: 4.7
nvd
4 месяца назад
BBOT's git_clone module could be abused to disclose a GitHub API key to an attacker controlled server with a malicious formatted git URL.