Impact
In ghinstallation v1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging.
|
if resp.StatusCode/100 != 2 { |
|
return fmt.Errorf("request %+v received non 2xx response status %q with body %+v and TLS %+v", resp.Request, resp.Body, resp.Request, resp.TLS) |
|
} |
The request contained the bearer JWT for the App, and was returned back to clients. This token is short lived (10 minute maximum).
Patches
- This has already been patched in d24f14f, and is available in releases >= v2.0.0.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Impact
In ghinstallation v1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging.
ghinstallation/transport.go
Lines 172 to 174 in 24e56b3
The request contained the bearer JWT for the App, and was returned back to clients. This token is short lived (10 minute maximum).
Patches
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory: