Authentication credentails logged in clear text

Module: grunt-gh-pages

Published: March 16th, 2016

Reported by: Stephan Bönnemann

CVE-NONE

CWE-391

Vulnerable: <=0.9.1
Patched: >=1.0.0

Overview

Versions of grunt-gh-pages prior to 1.0.0 are affected by a vulnerability which may cause unencrypted github credentials to be written to a log file in certain circumstances.

In the grunt-gh-pages deployment scenario where authentication is performed by injecting a github token directly into the auth portion of the URL, grunt-gh-pages will write the token to a log file, unencrypted.

Remediation

Update to version 1.0.0 or later.

References

PR #41