7.7
CVE-2020-5262
- EPSS 0.54%
- Veröffentlicht 19.03.2020 17:15:13
- Zuletzt bearbeitet 21.11.2024 05:33:47
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginGitHub personal access token leaking into temporary EasyBuild (debug) logs
In EasyBuild before version 4.1.2, the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--fro,-pr`, etc.) is shown in plain text in EasyBuild debug log files. This issue is fixed in EasyBuild v4.1.2, and in the `master`+ `develop` branches of the `easybuild-framework` repository.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Easybuild Project ≫ Easybuild Version < 4.1.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.54% | 0.41 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.5 | 1.8 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 2.1 | 3.9 | 2.9 |
AV:L/AC:L/Au:N/C:P/I:N/A:N
|
| security-advisories@github.com | 7.7 | 2.5 | 5.2 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
CWE-532 Insertion of Sensitive Information into Log File
The product writes sensitive information to a log file.
CWE-922 Insecure Storage of Sensitive Information
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
https://github.com/easybuilders/easybuild-framework/pull/3248
https://github.com/easybuilders/easybuild-framework/pull/3249
https://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm