{"id":"GHSA-h4q8-96p6-jcgr","summary":"ghinstallation returns app JWT in error responses","details":"### Impact\n\nIn ghinstallation v1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging.\n\nhttps://github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transport.go#L172-L174\n\nThe request contained the bearer JWT for the App, and was returned back to clients. This token is short lived (10 minute maximum).\n\n### Patches\n\n- This has already been patched in d24f14f8be70d94129d76026e8b0f4f9170c8c3e, and is available in releases \u003e= v2.0.0.\n\n### References\n_Are there any links users can visit to find out more?_\n\n- See https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation for the App installation flow.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [ghinstallation](https://github.com/bradleyfalzon/ghinstallation)\n","aliases":["CVE-2022-39304","GO-2022-1178"],"modified":"2023-11-08T04:10:18.331336Z","published":"2022-12-19T22:48:32Z","database_specific":{"cwe_ids":["CWE-209"],"github_reviewed":true,"severity":"MODERATE","nvd_published_at":"2022-12-20T20:15:00Z","github_reviewed_at":"2022-12-19T22:48:32Z"},"references":[{"type":"WEB","url":"https://github.com/bradleyfalzon/ghinstallation/security/advisories/GHSA-h4q8-96p6-jcgr"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39304"},{"type":"WEB","url":"https://github.com/bradleyfalzon/ghinstallation/commit/d24f14f8be70d94129d76026e8b0f4f9170c8c3e"},{"type":"WEB","url":"https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation"},{"type":"PACKAGE","url":"https://github.com/bradleyfalzon/ghinstallation"},{"type":"WEB","url":"https://github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transport.go#L172-L174"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2022-1178"},{"type":"ADVISORY","url":"https://securitylab.github.com/advisories/GHSL-2022-061_ghinstallation"}],"affected":[{"package":{"name":"github.com/bradleyfalzon/ghinstallation","ecosystem":"Go","purl":"pkg:golang/github.com/bradleyfalzon/ghinstallation"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.0.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-h4q8-96p6-jcgr/GHSA-h4q8-96p6-jcgr.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:L"}]}