CVE-2022-39304 : ghinstallation provides transport, which implements http.RoundTripper to provide

ghinstallation provides transport, which implements http.RoundTripper to provide authentication as an installation for GitHub Apps. In ghinstallation version 1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging. The request contained the bearer JWT for the App, and was returned back to clients. This token is short lived (10 minute maximum). This issue has been patched and is available in version 2.0.0.

Published 2022-12-20 20:15:10

Updated 2022-12-29 17:16:32

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2022-39304

Ghinstallation Project » Ghinstallation
Versions before (<) 2.0.0
cpe:2.3:a:ghinstallation_project:ghinstallation:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-39304

EPSS FAQ

0.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 6 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-39304

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.7	MEDIUM	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N	1.0	3.6	NIST
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
5.0	MEDIUM	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:L	0.8	4.2	GitHub, Inc.
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: Low

CWE ids for CVE-2022-39304

CWE-209 Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2022-39304

https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation

Authenticating with GitHub Apps - GitHub Docs
Technical Description;Third Party Advisory
https://github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transport.go#L172-L174

ghinstallation/transport.go at 24e56b3fb7669f209134a01eff731d7e2ef72a5c · bradleyfalzon/ghinstallation · GitHub
Exploit;Third Party Advisory
https://github.com/bradleyfalzon/ghinstallation/commit/d24f14f8be70d94129d76026e8b0f4f9170c8c3e

Add StatusCode to error message if refreshToken() fails due to an sus… · bradleyfalzon/ghinstallation@d24f14f · GitHub
Patch;Third Party Advisory
https://github.com/bradleyfalzon/ghinstallation/security/advisories/GHSA-h4q8-96p6-jcgr

App JWT returned in error responses < v2.0.0 · Advisory · bradleyfalzon/ghinstallation · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-39304

Products affected by CVE-2022-39304

Exploit prediction scoring system (EPSS) score for CVE-2022-39304

CVSS scores for CVE-2022-39304

CWE ids for CVE-2022-39304

References for CVE-2022-39304