CVE-2016-10526

Опубликовано: 31 мая 2018

Источник: nvd

CVSS3: 8.6

CVSS2: 5

EPSS Низкий

Описание

A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised.

Ссылки

https://github.com/tschaub/grunt-gh-pages/pull/41
Third Party Advisory
https://nodesecurity.io/advisories/85
Third Party Advisory
https://github.com/tschaub/grunt-gh-pages/pull/41
Third Party Advisory
https://nodesecurity.io/advisories/85
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:grunt-gh-pages_project:grunt-gh-pages:*:*:*:*:*:node.js:*:*

Версия до 0.9.1 (исключая)

EPSS

Процентиль: 53%

0.003

Низкий

8.6 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-391

CWE-255

Связанные уязвимости

GHSA-rrj3-qmh8-72pf

github

почти 7 лет назад

grunt-gh-pages before 0.10.0 may allow unencrypted GitHub credentials to be written to a log file