Skip to content

grunt-gh-pages before 0.10.0 may allow unencrypted GitHub credentials to be written to a log file

Moderate severity GitHub Reviewed Published Feb 18, 2019 to the GitHub Advisory Database • Updated Jan 11, 2023

Package

npm grunt-gh-pages (npm)

Affected versions

<= 0.9.1

Patched versions

0.10.0

Description

Versions of grunt-gh-pages prior to 0.10.0 are affected by a vulnerability which may cause unencrypted GitHub credentials to be written to a log file in certain circumstances.

In the grunt-gh-pages deployment scenario where authentication is performed by injecting a GitHub token directly into the auth portion of the URL, grunt-gh-pages will write the token to a log file, unencrypted.

Recommendation

Update to version 0.10.0 or later.

References

Published to the GitHub Advisory Database Feb 18, 2019
Reviewed Jun 16, 2020
Last updated Jan 11, 2023

Severity

Moderate

EPSS score

0.151%
(52nd percentile)

Weaknesses

CVE ID

CVE-2016-10526

GHSA ID

GHSA-rrj3-qmh8-72pf

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.