-
Notifications
You must be signed in to change notification settings - Fork 122
/
85.json
24 lines (24 loc) · 1.1 KB
/
85.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
{
"id": 85,
"created_at": "2016-03-16",
"updated_at": "2016-04-20",
"title": "Authentication credentails logged in clear text",
"author": {
"name": "Stephan Bönnemann",
"website": null,
"username": null
},
"module_name": "grunt-gh-pages",
"publish_date": "2016-03-16",
"cves": [],
"vulnerable_versions": "<=0.9.1",
"patched_versions": ">=0.10.0",
"overview": "A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. \n\nIn module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised.",
"recommendation": "- Upgrade to version 1.0.0 or greater.\n- Consider any credentials used with these modules compromised and rotate those credentials.",
"references": [
"https://github.com/tschaub/grunt-gh-pages/pull/41"
],
"cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"cvss_score": 6.5,
"coordinating_vendor": "^Lift Security"
}