| { |
| "schema_version": "1.3.1", |
| "id": "GO-2022-1178", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2022-39304", |
| "GHSA-h4q8-96p6-jcgr" |
| ], |
| "summary": "JWT leak in github.com/bradleyfalzon/ghinstallation", |
| "details": "Errors returned by ghinstallation.Transport can include the JWT used for the failed operation. If the error is exposed to an untrusted party, this JWT could be extracted and used to authenticate further requests.", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/bradleyfalzon/ghinstallation", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "1.1.2-0.20210308182858-d24f14f8be70" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/bradleyfalzon/ghinstallation", |
| "symbols": [ |
| "Transport.RoundTrip", |
| "Transport.Token", |
| "Transport.refreshToken" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "ADVISORY", |
| "url": "https://github.com/bradleyfalzon/ghinstallation/security/advisories/GHSA-h4q8-96p6-jcgr" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/bradleyfalzon/ghinstallation/commit/d24f14f8be70d94129d76026e8b0f4f9170c8c3e" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation" |
| } |
| ], |
| "credits": [ |
| { |
| "name": "@Miskerest" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2022-1178" |
| } |
| } |