GHSA-2wx6-wc87-rmjm
Vulnerability from github
Published
2020-03-19 17:29
Modified
2024-09-20 17:31
Severity ?
7.7 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
GitHub personal access token leaking into temporary EasyBuild (debug) logs
Details

Impact

The GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like --new-pr, --from-pr, etc.) is shown in plain text in EasyBuild debug log files.

Scope:

  • the log message only appears in the top-level log file, not in the individual software installation logs (see https://easybuild.readthedocs.io/en/latest/Logfiles.html);
    • as a consequence, tokens are not included in the partial log files that are uploaded into a gist when using --upload-test-report in combination with --from-pr, nor in the installation logs that are copied to the software installation directories;
  • the message is only logged when using --debug, so it will not appear when using the default EasyBuild configuration (only info messages are logged by default);
  • the log message is triggered via --from-pr, but also via various other GitHub integration options like --new-pr, --merge-pr, --close-pr, etc., but usually only appears in the temporary log file that is cleaned up automatically as soon as eb completes successfully;
  • you may have several debug log files that include your GitHub token in /tmp (or a different location if you've set the --tmpdir EasyBuild configuration option) on the systems where you use EasyBuild, but they are located in a subdirectory that is only accessible to your account (permissions set to 700);
  • the only way that a log file that may include your token could have been made public is if you shared it yourself, for example by copying the contents of the log file into a gist manually, or by sending a log file to someone;
  • for log files uploaded to GitHub, your token would be revoked automatically when GitHub notices it;

Patches

The issue is fixed with the changes in https://github.com/easybuilders/easybuild-framework/pull/3248.

This fix is included in EasyBuild v4.1.2 (released on Mon Mar 16th 2020), and in the master+ develop branches of the easybuild-framework repository since Mon Mar 16th 2020 (see https://github.com/easybuilders/easybuild-framework/pull/3248 and https://github.com/easybuilders/easybuild-framework/pull/3249 resp.).

Make sure you revoke the existing GitHub tokens you're using with EasyBuild (via https://github.com/settings/tokens), and install new ones using "eb --install-github-token --force" (see also https://easybuild.readthedocs.io/en/latest/Integration_with_GitHub.html#installing-a-github-token-install-github-token).

Workarounds

  • avoid using the GitHub integration features (see https://easybuild.readthedocs.io/en/latest/Integration_with_GitHub.html) with EasyBuild versions older than version 4.1.2;
  • don't share top-level EasyBuild (debug) log files with others, unless you are sure your GitHub token is not included in them;
  • clean up temporary EasyBuild log files in /tmpon the system(s) where you`re using EasyBuild

References

  • https://github.com/easybuilders/easybuild-framework/pull/3248 (PR that fixes the issue)
  • (release announcement to EasyBuild mailing list)

For more information

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "easybuild-framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5262"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-03-19T17:04:51Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThe GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--from-pr`, etc.) is shown in plain text in EasyBuild debug log files.\n\nScope:\n\n* the log message only appears in the top-level log file, *not* in the individual software installation logs (see https://easybuild.readthedocs.io/en/latest/Logfiles.html);\n    - as a consequence, tokens are *not* included in the partial log files that are uploaded into a gist when using `--upload-test-report` in combination with `--from-pr`, nor in the installation logs that are copied to the software installation directories;\n* the message is only logged when using `--debug`, so it will not appear when using the default EasyBuild configuration (only info messages are logged by default);\n* the log message is triggered via `--from-pr`, but also via various other GitHub integration options like `--new-pr`, `--merge-pr`, `--close-pr`, etc., but usually only appears in the temporary log file that is cleaned up automatically as soon as eb completes successfully;\n* you may have several debug log files that include your GitHub token in `/tmp` (or a different location if you\u0027ve set the `--tmpdir` EasyBuild configuration option) on the systems where you use EasyBuild, but they are located in a subdirectory that is only accessible to your account (permissions set to 700);\n* the only way that a log file that may include your token could have been made public is *if you shared it yourself*, for example by copying the contents of the log file into a gist manually, or by sending a log file to someone;\n* for log files uploaded to GitHub, your token would be revoked automatically when GitHub notices it;\n\n### Patches\n\nThe issue is fixed with the changes in https://github.com/easybuilders/easybuild-framework/pull/3248.\n\nThis fix is included in EasyBuild v4.1.2 (released on Mon Mar 16th 2020), and in the `master`+  `develop` branches of the `easybuild-framework` repository since Mon Mar 16th 2020 (see https://github.com/easybuilders/easybuild-framework/pull/3248 and https://github.com/easybuilders/easybuild-framework/pull/3249 resp.).\n\n**Make sure you revoke the existing GitHub tokens you\u0027re using with EasyBuild** (via https://github.com/settings/tokens), and install new ones using \"`eb --install-github-token --force`\" (see also https://easybuild.readthedocs.io/en/latest/Integration_with_GitHub.html#installing-a-github-token-install-github-token).\n\n### Workarounds\n\n* avoid using the GitHub integration features (see https://easybuild.readthedocs.io/en/latest/Integration_with_GitHub.html) with EasyBuild versions older than version 4.1.2;\n* don\u0027t share top-level EasyBuild (debug) log files with others, unless you are sure your GitHub token is not included in them;\n* clean up temporary EasyBuild log files in `/tmp`on the system(s) where you`re using EasyBuild\n\n### References\n\n* https://github.com/easybuilders/easybuild-framework/pull/3248 (PR that fixes the issue)\n* (release announcement to EasyBuild mailing list)\n\n### For more information\n\n* Open an issue in [the `easybuild-framework` repository](https://github.com/easybuilders/easybuild-framework)\n* Email us at [easybuild-admin@lists.ugent.be](mailto:easybuild-admin@lists.ugent.be)",
  "id": "GHSA-2wx6-wc87-rmjm",
  "modified": "2024-09-20T17:31:44Z",
  "published": "2020-03-19T17:29:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5262"
    },
    {
      "type": "WEB",
      "url": "https://github.com/easybuilders/easybuild-framework/pull/3248"
    },
    {
      "type": "WEB",
      "url": "https://github.com/easybuilders/easybuild-framework/pull/3249"
    },
    {
      "type": "WEB",
      "url": "https://github.com/easybuilders/easybuild-framework/commit/210743d0e3618a8ac0a56eb9c0f4fa4fd8ae53b9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/easybuilders/easybuild-framework"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/easybuild-framework/PYSEC-2020-41.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/easybuild/PYSEC-2020-268.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "GitHub personal access token leaking into temporary EasyBuild (debug) logs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.