CVE-2016-10526

EPSS 0.3%
Veröffentlicht 31.05.2018 20:29:00
Zuletzt bearbeitet 21.11.2024 02:44:12
Quelle support@hackerone.com
CVE-Watchlists
Login
Unerledigt
Login

A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Grunt-gh-pages Project ≫ Grunt-gh-pages SwPlatformnode.js Version < 0.9.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.529

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.6	3.9	4	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-391 Unchecked Error Condition

[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.

CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://github.com/tschaub/grunt-gh-pages/pull/41

Third Party Advisory

https://nodesecurity.io/advisories/85

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2016-10526

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-10526

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-10526

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2016-10526