data/reports/GO-2022-1178.yaml

id: GO-2022-1178
modules:
    - module: github.com/bradleyfalzon/ghinstallation
      versions:
        - fixed: 1.1.2-0.20210308182858-d24f14f8be70
      vulnerable_at: 1.1.1
      packages:
        - package: github.com/bradleyfalzon/ghinstallation
          symbols:
            - Transport.refreshToken
            - Transport.Token
          derived_symbols:
            - Transport.RoundTrip
summary: JWT leak in github.com/bradleyfalzon/ghinstallation
description: |-
    Errors returned by ghinstallation.Transport can include the JWT used for the
    failed operation. If the error is exposed to an untrusted party, this JWT could
    be extracted and used to authenticate further requests.
cves:
    - CVE-2022-39304
ghsas:
    - GHSA-h4q8-96p6-jcgr
credits:
    - '@Miskerest'
references:
    - advisory: https://github.com/bradleyfalzon/ghinstallation/security/advisories/GHSA-h4q8-96p6-jcgr
    - fix: https://github.com/bradleyfalzon/ghinstallation/commit/d24f14f8be70d94129d76026e8b0f4f9170c8c3e
    - web: https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation