Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2016-10526

UNKNOWN
Published 2018-05-31T20:00:00Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2016-10526. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

HackerOne

grunt-gh-pages node module

Affected Versions:

<=0.9.1

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

grunt-gh-pages before 0.10.0 may allow unencrypted GitHub credentials to be written to a log file

GHSA-rrj3-qmh8-72pf

Advisory Details

Versions of `grunt-gh-pages` prior to 0.10.0 are affected by a vulnerability which may cause unencrypted GitHub credentials to be written to a log file in certain circumstances. In the `grunt-gh-pages` deployment scenario where authentication is performed by injecting a GitHub token directly into the auth portion of the URL, `grunt-gh-pages` will write the token to a log file, unencrypted. ## Recommendation Update to version 0.10.0 or later.

Affected Packages

npm grunt-gh-pages
ECOSYSTEM: ≥0 <0.10.0

CVSS Scoring

CVSS Score

5.0

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2016-10526
WEB https://github.com/tschaub/grunt-gh-pages/pull/41
WEB https://github.com/tschaub/grunt-gh-pages/pull/41/commits/590f69767203d8c379fe18cded93bd5ad6cb53cb
WEB https://github.com/tschaub/grunt-gh-pages/commit/2d277e3e969ccd4c2d493f3795400fa77e6b6342
PACKAGE https://github.com/tschaub/grunt-gh-pages
WEB https://www.npmjs.com/advisories/85

Advisory provided by GitHub Security Advisory Database. Published: February 18, 2019, Modified: August 3, 2022

References

https://github.com/tschaub/grunt-gh-pages/pull/41
https://nodesecurity.io/advisories/85
Published: 2018-05-31T20:00:00Z
Last Modified: 2024-09-16T20:37:56.998Z
Copied to clipboard!