Authentication credentails logged in clear text

Module: grunt-gh-pages

Published: March 16th, 2016

Reported by: Stephan Bönnemann

CVE-NONE

CWE-

Vulnerable: <=0.9.1
Patched: >=1.0.0

Overview

A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url.

In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised.

Remediation

  • Upgrade to version 1.0.0 or greater.
  • Consider any credentials used with these modules compromised and rotate those credentials.

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo