Vulnerability Report: GO-2022-1178

CVE-2022-39304, GHSA-h4q8-96p6-jcgr
Affects: github.com/bradleyfalzon/ghinstallation
Published: Dec 22, 2022
Modified: Jun 12, 2023

Errors returned by ghinstallation.Transport can include the JWT used for the failed operation. If the error is exposed to an untrusted party, this JWT could be extracted and used to authenticate further requests.

For detailed information about this vulnerability, visit https://github.com/bradleyfalzon/ghinstallation/security/advisories/GHSA-h4q8-96p6-jcgr.

Affected Packages

Path

Versions

Symbols
github.com/bradleyfalzon/ghinstallation

before v1.1.2-0.20210308182858-d24f14f8be70
- Transport.RoundTrip
- Transport.Token

Aliases

CVE-2022-39304
GHSA-h4q8-96p6-jcgr

References

https://github.com/bradleyfalzon/ghinstallation/security/advisories/GHSA-h4q8-96p6-jcgr
https://github.com/bradleyfalzon/ghinstallation/commit/d24f14f8be70d94129d76026e8b0f4f9170c8c3e
https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation
https://vuln.go.dev/ID/GO-2022-1178.json

Credits

@Miskerest

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL