Skip to content

Renovate vulnerable to Azure DevOps token leakage in logs

Moderate severity GitHub Reviewed Published Sep 12, 2020 in renovatebot/renovate • Updated Jan 7, 2023

Package

npm renovate (npm)

Affected versions

>= 19.180.0, < 23.25.1

Patched versions

23.25.1

Description

Impact

Applies to Azure DevOps users only. The bot's token may be exposed in server or pipeline logs due to the http.extraheader=AUTHORIZATION parameter being logged without redaction. It is recommended that Azure DevOps users revoke their existing bot credentials and generate new ones after upgrading if there's a potential that logs have been saved to a location that others can view.

Patches

Fixed in

Workarounds

Do not share Renovate logs with anyone who cannot be trusted with access to the token.

References

@rarkins rarkins published to renovatebot/renovate Sep 12, 2020
Reviewed Sep 14, 2020
Published to the GitHub Advisory Database Sep 14, 2020
Last updated Jan 7, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-36rh-ggpr-j3gj

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.